Windows Search URI Flaw Lets Hackers Steal NTLMv2 Hashes

Robert Moore · 2026-06-03

So, you've probably heard about that nasty Windows Snipping Tool vulnerability from a while back, right? The one where just opening a screenshot could hand over your credentials? Well, buckle up, because researchers just found a similar trick hiding in a place you'd never expect: the Windows Search feature. And this one hasn't been patched yet. It all comes down to how Windows handles certain "search:" URIs. Think of a URI like a special shortcut—when you click a link that starts with "search:", Windows opens a search window. But researchers at Huntress discovered that attackers can abuse this to steal your NTLMv2 hash, which is basically a hashed version of your Windows password. ### How the Attack Works Here's the scary part: it's surprisingly straightforward. An attacker can craft a malicious file or a link that triggers the search: URI handler. When you click it, Windows reaches out to a remote server—controlled by the attacker—to fetch some data. In the process, your system automatically sends your NTLMv2 hash as part of the authentication handshake. - The attacker hosts a fake SMB share or a server that requires authentication. - When your machine tries to access it, it sends your NTLMv2 hash. - The attacker captures that hash and can then try to crack it offline. This is the same kind of attack we saw with CVE-2026-33829, which targeted the "ms-screensketch:" handler. That one was patched after Microsoft acknowledged it. But this new one? No fix yet. And that's a big deal. ### Why This Matters for Security Professionals If you're managing Windows systems, this is a wake-up call. NTLMv2 hashes are gold for attackers. Once they have one, they can use tools like Hashcat to crack weak passwords in minutes. Even if your password is strong, a captured hash can be used in pass-the-hash attacks to move laterally across your network. Think about it: an employee gets an email with a link that looks legit. They click it, and boom—their hash is stolen. Now the attacker has a foothold. From there, it's a short hop to compromising domain admin accounts. ### What You Can Do Right Now Unfortunately, there's no official patch yet. But you don't have to sit around and wait. Here are some practical steps: - Block outbound SMB traffic on your firewall. This prevents your machines from sending NTLM hashes to external servers. - Enable Windows Defender Exploit Guard to restrict URI handlers. - Educate your users about phishing links that might trigger these handlers. - Monitor for unusual SMB traffic in your network logs. It's not a perfect solution, but it buys you time until Microsoft rolls out a fix. And hey, if you're already using an antidetect browser for your privacy work, you know how important it is to stay ahead of these threats. ### The Bigger Picture This vulnerability is a reminder that Windows has a lot of hidden features—and some of them are security nightmares. The search: URI handler was meant to make life easier, but now it's a liability. Until Microsoft patches it, the ball is in your court. Stay sharp, keep your systems locked down, and don't let a simple link ruin your day.