Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
Cybersecurity researchers from Huntress have disclosed an unpatched vulnerability in the Windows search: URI handler that can be exploited to steal a user's NTLMv2 hash. The issue mirrors a previously disclosed flaw in the Windows Snipping Tool's ms-screensketch: URI handler, tracked as CVE-2026-33829, which allowed spoofing and hash disclosure. The newly identified flaw resides in the search: protocol handler, which is used to launch Windows Search queries from applications or web browsers. An attacker can craft a malicious link that, when clicked, triggers an NTLMv2 authentication attempt to an attacker-controlled server, thereby capturing the hash. This hash can then be used in relay attacks or offline brute-force attempts to recover the user's password. Microsoft has not yet released a patch, leaving users vulnerable. The disclosure highlights ongoing risks in URI handlers, which are often overlooked in security assessments. Huntress recommends users exercise caution when clicking links from untrusted sources and consider blocking the search: URI handler via group policy or registry modifications until a fix is available.
Unpatched URI handler flaw enables credential theft, risking lateral movement and privilege escalation.