Unpatched Windows search URI handler issue leaks NTLMv2 hashes

As reported by The Hacker News, cybersecurity researchers at Huntress have disclosed details of an unpatched issue in the Windows search URI handler that could be exploited to leak a user's NTLMv2 hash to an attacker.

The newly identified issue, similar to a previously patched vulnerability in the Windows Snipping Tool (CVE-2026-33829), resides in the search URI handler. Attackers can induce users to click a specially crafted link, which, when processed by the search handler, can compel the computer to connect to an attacker-controlled SMB server. This connection exposes the user's NTLMv2 hash, enabling the attacker to authenticate as the user. The exploit leverages a "crumb=location:" parameter, a mechanism previously documented in relation to NTLM hash leakage (CVE-2023-35636). Threat actors can use captured hashes for relay attacks to gain deeper network access.

Microsoft has declined to address the issue, classifying it as not meeting their servicing bar for "Important" or "Critical" severity. Mitigation strategies include blocking outbound SMB traffic on non-essential hosts, enforcing SMB signing, and disabling NTLM where possible.

Source: The Hacker News