Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix
ID: a760d40a-dedf-59b1-9b65-447e8890be66
STIX ID: report--a760d40a-dedf-59b1-9b65-447e8890be66
Feed Name: Huntress Blog
This report details a Windows URI-handler vulnerability where the search: and search-ms: handlers accept a location parameter that triggers outbound SMB authentication, leaking Net-NTLMv2 hashes to an attacker-controlled server; the author reproduces the issue (including link-click delivery), contrasts it with a patched Snipping Tool URI bug (CVE-2026-33829), documents MSRC's decision not to service this finding, and recommends mitigations such as blocking outbound SMB, enforcing SMB signing, disabling NTLM where possible, and alerting on search:/search-ms: URIs.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
