logo

Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix

ID: a760d40a-dedf-59b1-9b65-447e8890be66

STIX ID: report--a760d40a-dedf-59b1-9b65-447e8890be66

Feed Name: Huntress Blog

Threat Score
55/100

Date Published: 2026-06-02

Date Updated: 2026-06-11

...
...

This report details a Windows URI-handler vulnerability where the search: and search-ms: handlers accept a location parameter that triggers outbound SMB authentication, leaking Net-NTLMv2 hashes to an attacker-controlled server; the author reproduces the issue (including link-click delivery), contrasts it with a patched Snipping Tool URI bug (CVE-2026-33829), documents MSRC's decision not to service this finding, and recommends mitigations such as blocking outbound SMB, enforcing SMB signing, disabling NTLM where possible, and alerting on search:/search-ms: URIs.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.