Cybersecurity researchers have disclosed details of a newly identified vulnerability in Microsoft Windows that could allow attackers to steal a user’s NTLMv2 hash through exploitation of the Windows Search URI handler. The issue, which currently remains unpatched, has raised concerns among security professionals because attackers may be able to use the exposed authentication data to gain deeper access into targeted networks. According to cybersecurity company Huntress, the flaw shares technical similarities with a previously patched Microsoft vulnerability identified as CVE-2026-33829, which affected the Windows Snipping Tool and enabled attackers to expose sensitive information by exploiting a URI handler.
Researchers explained that the newly discovered issue resides within the Windows “search:” URI handler and can be abused through a specially crafted command using the “crumb=location:” parameter. Similar to the previously disclosed Snipping Tool weakness, the vulnerability can reportedly be triggered if a victim clicks a malicious link embedded in a web page, email message, or other URL source. Once activated, the manipulated link may force the targeted system to connect to a Server Message Block (SMB) server controlled by an attacker. This interaction can trigger NTLM authentication and expose the victim’s Net NTLMv2 hash, which could later be leveraged by malicious actors for unauthorized authentication attempts. Huntress researcher Andrew Schwartz stated that the flaw follows the same NTLM leakage mechanism observed in earlier vulnerabilities, producing the same Net NTLMv2 exposure while carrying similar requirements for exploitation and a moderate severity assessment.
The disclosure follows Microsoft’s handling of CVE-2026-33829, a spoofing vulnerability patched in April 2026 that impacted the Windows Snipping Tool’s “ms-screensketch:” URI handler. In that case, Microsoft explained that attackers could manipulate the “filePath” parameter to force systems into connecting with attacker controlled SMB servers, resulting in the disclosure of NTLMv2 hashes. According to researchers, the newly identified Windows Search URI issue achieves a similar outcome through the use of the “search:” function and the “crumb=location:” parameter instead of “filePath.” Security researchers also noted that exploitation methods involving the “crumb” parameter for NTLM hash theft had been documented previously under CVE-2023-35636 by cybersecurity firm Varonis in early 2024, indicating a recurring security concern involving Windows URI handlers and authentication mechanisms.
Following responsible disclosure to Microsoft on April 15, 2026, the company reportedly declined to issue a fix for the newly reported weakness, stating that only vulnerabilities classified as Important or Critical meet its servicing threshold. In the absence of an official patch, cybersecurity experts are advising organizations to implement defensive measures to reduce risk exposure. Recommended mitigations include blocking outbound SMB traffic over TCP ports 445 and 139 on systems where it is not necessary, enforcing SMB signing to reduce the likelihood of successful relay attacks, and disabling NTLM authentication wherever practical. Researchers warned that captured NTLMv2 hashes could potentially be used in relay attacks to move deeper into enterprise environments, making preventative security controls important for organizations relying heavily on Windows infrastructure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
