Skip to content

Windows Search Handler Enables Theft of NTLMv2 Hashes

Key Point: An unpatched URI handler vulnerability in Windows Search allows attackers to extract NTLMv2 hashes and potentially gain access to Windows authentication tokens.

Security researchers have disclosed an unpatched vulnerability in the Windows Search URI handler (search:) that can be exploited for exfiltration of NTLMv2 hashes. The pattern mirrors the already known CVE-2026-33829 in Snipping Tool.

Huntress researchers have documented an unpatched vulnerability in the search: URI handler of Windows Search. Through this handler, attackers can intercept and disclose NTLMv2 hashes from users – similar to CVE-2026-33829 in Windows Snipping Tool.

The exploit pattern follows the same mechanics as CVE-2026-33829: a malicious ms-screensketch: URI handler could force users to make requests to attacker-controlled servers while disclosing authentication hashes. The newly identified vulnerability in the search: handler exploits the same attack vector with URI-based redirection.

For CISOs, this represents an additional authentication risk on systems where the Windows Search handler is enabled. NTLMv2 hashes are a central target of pass-the-hash attacks and can be cracked – if weak passwords are underlying or offline computing resources are available. The lack of a patch requires preventive control measures: blocking suspicious URI handlers via GPO, segmentation of user networks, or disabling Windows Search in high-security environments.


Source: thehackernews.com · Published 3 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.9.

Share on: