Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix
ID: e3dccef3-f686-5cd2-844c-8e1688bb3ae4
STIX ID: report--e3dccef3-f686-5cd2-844c-8e1688bb3ae4
Feed Name: Huntress Blog
The report details an NTLM credential-leakage issue where Windows URI handlers (search: / search-ms with crumb=location pointing to a UNC path) cause automatic SMB authentication to attacker-controlled servers, exposing Net-NTLMv2 hashes; the author demonstrates reproducible proof-of-concept captures (including link-click in Edge and cmd invocation), contrasts this with a patched Snipping Tool CVE (CVE-2026-33829), documents Microsoft’s decision not to service the finding, and recommends mitigations such as blocking outbound SMB, enforcing SMB signing, and disabling NTLM where possible.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
