Skip to content

Windows Search: Microsoft Rejects Patch for NTLM Hash Vulnerability

Bottom line: Attackers can extract NTLMv2 hashes through manipulated search links – Microsoft deems the risk too low for a patch.

Security company Huntress has documented an unpatched vulnerability in Windows Search URI handler through which attackers can intercept NTLMv2 hashes. Microsoft has explicitly declined to remediate the flaw.

Security company Huntress submitted an unpatched vulnerability in Microsoft Windows through responsible disclosure on April 15, 2026. The issue lies in the search: URI handler of the operating system. Attackers craft specially designed links with the crumb=location parameter (for example search:query=test&crumb=location:10.0.1.100share) and embed them in web pages or emails. When a user clicks on such a link and confirms execution, Windows automatically establishes a connection to an attacker-controlled SMB server – and in the process transmits the NTLMv2 hash of the logged-in user.

Using the intercepted hash, cybercriminals can subsequently authenticate as the affected user account to other services on the internal network and compromise additional systems. Huntress researchers also identified technical parallels to previously patched vulnerabilities: CVE-2023-35636 (February 2024) and CVE-2026-33829 (April 2026, Windows Snipping Tool) exploited the same NTLM leak mechanism and produced the same network NTLMv2 leak under identical conditions.

Despite these parallels, Microsoft rejected a security fix. The vendor rates the vulnerability as Moderate and points to its policy: official security patches are only provided for bugs rated as Important or Critical. This leaves the vulnerability open on all systems that process the Search handler by default.

For administrators, manual protective measures remain: blocking outbound SMB traffic (TCP 445, TCP 139) for computers without external SMB shares; enforcing SMB signing to prevent relay attacks; and disabling NTLM authentication in Active Directory environments, where compatible.


Source: www.it-daily.net · Published June 5, 2026
Lumi AI News — AI-assisted curation per Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: