logo

Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix

ID: e3dccef3-f686-5cd2-844c-8e1688bb3ae4

STIX ID: report--e3dccef3-f686-5cd2-844c-8e1688bb3ae4

Feed Name: Huntress Blog

Threat Score
60/100

Date Published: 2026-06-02

Date Updated: 2026-06-03

...
...

The report details an NTLM credential-leakage issue where Windows URI handlers (search: / search-ms with crumb=location pointing to a UNC path) cause automatic SMB authentication to attacker-controlled servers, exposing Net-NTLMv2 hashes; the author demonstrates reproducible proof-of-concept captures (including link-click in Edge and cmd invocation), contrasts this with a patched Snipping Tool CVE (CVE-2026-33829), documents Microsoft’s decision not to service the finding, and recommends mitigations such as blocking outbound SMB, enforcing SMB signing, and disabling NTLM where possible.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.