New Windows Search Flaw Exposes NTLMv2 Hashes to Attackers

Unpatched Windows Search Vulnerability Leaks NTLMv2 Hashes

Cybersecurity researchers have uncovered a new unpatched issue in Windows that could allow attackers to obtain a user's NTLMv2 hash. According to recent reports, the flaw resides in the search: URI handler, similar to a previously disclosed vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler (tracked as CVE-2026-33829).

How the Attack Works

The vulnerability exploits the way Windows processes search URIs. By tricking a user into clicking a specially crafted link, an attacker can trigger an authentication request that leaks the user's NTLMv2 hash. This hash can then be used in relay attacks or cracked offline to gain unauthorized access.

Comparison to Previous Flaw

The newly flagged issue bears resemblance to CVE-2026-33829, which was a spoofing vulnerability in the Snipping Tool's URI handler. Both flaws leverage Windows URI handlers to initiate unintended network authentication, exposing sensitive credentials.

Current Status

As of now, Microsoft has not released a patch for this vulnerability, leaving users potentially exposed. Researchers have disclosed the details to raise awareness and urge users to take precautionary measures, such as disabling unnecessary URI handlers or using network segmentation to mitigate risk.

Mitigation Advice

Until a fix is available, security experts recommend:

Avoiding clicking on untrusted links that trigger search URIs.
Monitoring for unusual NTLM authentication requests in network logs.
Implementing SMB signing and other protections against relay attacks.

The disclosure highlights ongoing challenges in securing Windows URI handlers and the importance of prompt patching by Microsoft.