Critical NTLMv2 Hash Disclosure via Windows Search URI Handler (CVE‑2026‑33829) Threatens Enterprise Environments
What It Is – Researchers have identified an unpatched vulnerability in the Windows search: URI handler that can be abused to force a client to transmit its NTLMv2 hash to a malicious server. The flaw is similar to the previously disclosed CVE‑2026‑33829 in the Snipping Tool’s ms‑screensketch: handler, but targets the more widely used search protocol.
Exploitability – Proof‑of‑concept code demonstrates that a crafted hyperlink (e.g., search://malicious) can trigger the hash leak without user interaction beyond clicking the link. No public exploit kit is known, but the technique is trivial for a skilled attacker. CVSS (pre‑release) is estimated at 8.2 (High) due to credential theft and potential lateral movement.
Affected Products – Microsoft Windows 10 (1809 and later) and Windows 11 desktop editions where the search: URI handler is enabled. The issue is present in all supported builds that have not received a corrective update.
TPRM Impact –
- Credential Exposure: Harvested NTLMv2 hashes can be relayed or cracked, giving threat actors footholds into third‑party environments.
- Supply‑Chain Risk: Vendors that rely on Windows‑based workstations for development, CI/CD, or remote support inherit the same exposure, potentially compromising downstream customers.
Recommended Actions –
- Disable the
search:URI handler via Group Policy (Computer Configuration → Administrative Templates → Windows Components → Search → “Allow search protocol” → Disabled). - Enforce SMB signing and disable NTLM fallback on domain controllers and critical servers.
- Monitor for anomalous NTLM authentication to external IPs using SIEM/EDR.
- Apply any forthcoming Microsoft patch as soon as it is released; keep Windows Update fully enabled.
- Educate users to avoid clicking unknown links, especially in email or chat.
Source: The Hacker News