SF-LABS-2026-03 / SILENT NIGHT / Vulnerability Disclosure

SILENT NIGHT Local Privilege Escalation in a Major Windows Desktop Accounting Application

All is calm, all is quiet... and then a standard user quietly wakes up as SYSTEM.

Reported, awaiting vendor acknowledgement

A second, distinct SYSTEM-level flaw in the affected application. A standard, non-administrator user can gain full SYSTEM control in a single step on a fully-updated install, with no admin rights and no reboot. Reported to the vendor through a coordinated channel. Full root-cause analysis and proof-of-concept are withheld at the vendor's request.

Infographic depicting SF-LABS-2026-03 SILENT NIGHT vulnerability: single-step privilege escalation in an undisclosed major Windows desktop accounting application. One action grants standard user instant SYSTEM control with no reboot and no user interaction. Vendor under embargo.

Demonstration

Proof-of-Concept Video

Video proof-of-concept will be added when available. The recording shows the escalation path end-to-end, from the unprivileged-user starting state to the SYSTEM shell that results.

Disclosure Record

Timeline and Affected Surface

Advisory ID
SF-LABS-2026-03
Codename
SILENT NIGHT
Vendor
Undisclosed - vendor withheld at the vendor's request
Product
Major Windows desktop accounting application (current shipping release, fully updated)
Vulnerability class
Local privilege escalation to SYSTEM
Discovery date
2026-06-13
Vendor notified
2026-06-13
Vendor acknowledged
Awaiting acknowledgement
CVE ID
CVE: being pursued via independent coordination
Affected versions
Withheld at the vendor's request
Researcher
Ryan Purita, Principal Security Consultant, Sherlock Forensics
Methodology
Original research by Sherlock Forensics Labs
Sherlock Forensics adheres to coordinated disclosure timelines. Technical specifics, proof-of-concept code and remediation guidance are withheld at the vendor's request. We do not publish details that could enable exploitation while affected users remain vulnerable.

Public Summary

What is Publicly Disclosed Now

SF-LABS-2026-03 SILENT NIGHT is the second distinct local privilege escalation finding in an undisclosed major Windows desktop accounting application disclosed by Sherlock Forensics Labs. The first finding (SF-LABS-2026-02 BLANK CHECK) targets a separate component of the same application. SILENT NIGHT operates on a different code path. Both findings reach SYSTEM from a standard non-administrator user context on a fully patched Windows host running the current shipping release of the affected application.

The exploit requires the attacker to already have code execution in a standard non-administrator user context on the target machine. That foothold is the routine outcome of phishing, drive-by download or commodity malware. SILENT NIGHT converts any such standard-user foothold into SYSTEM with no user interaction and no reboot. The escalation requires no user interaction and no reboot.

Defensive recommendations for the embargo period are limited to standard local-attack-surface hardening: enforce least-privilege user accounts, restrict execution of unsigned or untrusted binaries from user-writable locations and review installed-software inventory against the public affected-versions list once it lands.

Sherlock Forensics will not publish further technical detail. This advisory is held in un-named form at the vendor's request. Researchers and incident response teams who need pre-release notification under NDA can reach the lab at labs@sherlockforensics.com.

About

About Sherlock Forensics Labs

Sherlock Forensics Labs is the research arm of Sherlock Forensics, a Vancouver BC based digital forensics and cybersecurity practice. Lead researcher Ryan Purita is a Principal Security Consultant with 20 years of courtroom-tested digital forensics work plus CISSP, ISSAP and ISSMP certification. The lab follows coordinated disclosure with vendor-acknowledged release provisions. See the Labs hub for active and archived disclosures.