Cybersecurity researchers have identified an unpatched vulnerability in the Windows Search URI handler that could allow attackers to obtain users’ NTLMv2 hashes. This flaw is similar to the previously patched CVE-2026-33829, which affected the Windows Snipping Tool’s ms-screensketch: URI handler, as reported by The Hacker News.
The issue arises from the ‘search:’ URI handler’s handling of the ‘crumb=location:’ parameter. By crafting a malicious link, an attacker can prompt a victim’s system to connect to an attacker-controlled SMB server, thereby exposing the user’s NTLMv2 hash. This method mirrors the exploitation technique used in CVE-2026-33829, where the Snipping Tool’s URI handler accepted a ‘filePath’ parameter without proper validation, leading to similar NTLMv2 hash disclosures.
Despite responsible disclosure on April 15, 2026, Microsoft has declined to address this vulnerability, stating that only issues rated as Important or Critical meet their criteria for servicing. Consequently, the flaw remains unpatched, leaving systems vulnerable to potential exploitation.
To mitigate the risk, security experts recommend blocking outbound SMB traffic on ports TCP/445 and TCP/139 for hosts that do not require it, enforcing SMB signing to prevent captured hashes from being relayed against internal services, and disabling NTLM authentication where feasible.
This situation underscores the ongoing challenges in securing legacy protocols like NTLM. Organizations should proactively implement the recommended mitigations to protect their networks, especially given the absence of an official patch from Microsoft.
Source: The Hacker News
