Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Huntress researchers have disclosed an unpatched vulnerability in Windows Search's URI handler that allows attackers to steal NTLMv2 password hashes from targeted users. The flaw operates through the search: URI protocol handler, following a pattern similar to CVE-2026-33829, which affected the Windows Snipping Tool's ms-screensketch: URI handler with spoofing capabilities.

The attack exploits how Windows Search processes URI requests. When a user clicks a malicious link or visits a compromised website containing specially crafted search: URIs, the handler can be manipulated to redirect authentication requests to an attacker-controlled server. Windows then automatically transmits the user's NTLMv2 hash during this attempted authentication, exposing credentials without the user's knowledge or consent.

NTLMv2 hashes represent a high-value target. While not immediately usable as plaintext passwords, these hashes can be subjected to offline brute-force or dictionary attacks. Attackers with sufficient computational resources or access to password cracking tools can feasibly recover the original passwords, especially if users employ weak or common credentials. Compromised hashes also enable attackers to conduct relay attacks, using the stolen authentication material to impersonate users on internal network resources.

The vulnerability affects Windows systems with Search enabled. Exploitation requires no user interaction beyond clicking a link, making it practical for phishing campaigns or drive-by attacks. Organizations cannot currently apply a patch, leaving systems vulnerable until Microsoft addresses the issue.

Microsoft has not yet announced patches or official remediation timelines. Organizations should monitor for official guidance and consider disabling the search: URI handler where operationally feasible as a temporary mitigation. Users should exercise caution with untrusted links and consider employing URL filtering or advanced email security controls to block malicious URIs before they reach endpoints.

The disclosure