Windows Search URI Handler Vulnerability Exposes NTLMv2 Hashes to Remote Attackers

Security researchers observed that Windows' search: and search-ms: URI handlers improperly validate user-supplied parameters, enabling an attacker to embed a UNC path in a crafted URI that forces the system to perform NTLM authentication to an attacker-controlled SMB server, leaking Net-NTLMv2 hashes. The issue requires only a single click (no malware), is unpatched and triaged below servicing threshold by Microsoft, and carries practical enterprise risk via NTLM relay, offline cracking, and lateral movement; recommended mitigations include blocking outbound SMB, enforcing SMB signing, restricting NTLM, and monitoring for suspicious URI and SMB activity.