- An unpatched vulnerability in the Windows search URI handler can leak a user’s sensitive NTLMv2 authentication hash.
- The flaw allows attackers to capture hashes via specially crafted links, similar to a patched issue, CVE-2026-33829, in the Snipping Tool.
- Microsoft declined to fix the issue, rating it below their servicing bar for security updates.
- Experts recommend blocking outbound SMB traffic and enforcing SMB signing to mitigate the risk.
Cybersecurity researchers disclosed an unpatched vulnerability in June 2026 that exposes users’ NTLMv2 hashes. This flaw, found in the Windows search: URI handler, was documented by Huntress.
Like a previous spoofing vulnerability, CVE-2026-33829, this issue can be triggered by a malicious link. Consequently, clicking such a link forces the system to connect to an attacker-controlled server.
Specifically, the attack uses a “crumb=location:” parameter to initiate the connection. This mechanism, CVE-2023-35636, was previously documented by Varonis for stealing hashes.
The captured NTLMv2 hash can then be used in relay attacks. Attackers leverage these to gain deeper network access.
Following responsible disclosure on April 15, 2026, Microsoft declined to release a patch. The company stated “only Important and Critical severity cases meet our bar for servicing.”
Security professionals now advise blocking outbound SMB ports on non-essential hosts. Meanwhile, enforcing SMB signing and disabling NTLM where possible are also recommended defenses.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
