Unpatched Windows Search URI Vulnerability Exposes User Credentials
The cybersecurity world is abuzz with the recent disclosure of a critical vulnerability in Windows Search URI handler, which could potentially expose users' NTLMv2 hashes to attackers. This unpatched issue, similar to the CVE-2026-33829 vulnerability affecting the Windows Snipping Tool, poses a significant risk to organizations and individuals alike.
A Familiar Threat
The vulnerability, as explained by Huntress researcher Andrew Schwartz, leverages the 'search:' URI handler to disclose user credentials. By crafting a malicious URL, attackers can trick users into clicking on a link, which then triggers NTLM authentication and reveals the victim's Net-NTLMv2 hash. This hash is a critical piece of information, as it can be used to authenticate as the user and gain unauthorized access to systems.
What makes this issue particularly concerning is its similarity to the CVE-2023-35636 vulnerability, which was documented by Varonis in February 2024. Both vulnerabilities use the 'crumb' parameter to steal the NTLM hash, and they share the same prerequisites and Moderate severity rating. This means that threat actors can potentially exploit this vulnerability to conduct relay attacks and gain deeper access into networks.
Microsoft's Response
Microsoft, the vendor responsible for addressing such vulnerabilities, has been criticized for its handling of this issue. After a responsible disclosure on April 15, 2026, Microsoft declined to patch the vulnerability, citing its severity level. The company stated that only Important and Critical severity cases meet their servicing bar, leaving this vulnerability unaddressed.
Mitigation Strategies
In the absence of a fix, organizations and individuals are advised to take proactive measures to mitigate the risk. Here are some recommended strategies:
- Block Outbound SMB: Restrict outbound SMB (TCP/445 and TCP/139) on hosts that don't require it. This prevents attackers from relaying captured hashes against internal services.
- Enforce SMB Signing: Implement SMB signing to ensure that captured hashes cannot be relayed against internal services.
- Disable NTLM: Disable NTLM authentication where possible, as it is a weaker authentication protocol compared to more secure alternatives.
Personal Perspective
As an expert in cybersecurity, I find this vulnerability deeply concerning. The fact that it remains unpatched despite the potential for significant damage is alarming. It highlights the ongoing challenge of keeping up with the ever-evolving threat landscape. Organizations and individuals must remain vigilant and take proactive steps to protect their systems and data.
In my opinion, Microsoft's decision to prioritize Important and Critical severity cases is understandable but also concerning. It underscores the need for a more comprehensive approach to vulnerability management, especially in the face of such critical issues.
Conclusion
The unpatched Windows Search URI vulnerability is a stark reminder of the ongoing threat posed by unaddressed security flaws. It serves as a call to action for organizations and individuals to prioritize cybersecurity and take proactive measures to protect their systems and data. As experts in the field, we must continue to advocate for responsible vulnerability management and work towards a safer digital environment.
