A new Windows security vulnerability has been discovered that could allow attackers to steal NTLMv2 authentication hashes from users. The flaw affects the Windows Search URI handler and currently remains unpatched. Security researchers found that attackers can exploit the issue using specially crafted links. These links can be delivered through emails, websites, or other online platforms.

The vulnerability was identified by researchers at Huntress, who noticed similarities with a previously patched Windows flaw. That earlier issue, known as CVE-2026-33829, affected the Windows Snipping Tool and allowed attackers to capture authentication data. Researchers found that the newly discovered Search URI vulnerability can lead to a similar outcome. However, unlike the previous flaw, this issue has not received a security patch.

According to the research, attackers can abuse the Windows “search:” URI protocol by embedding a remote network location into a malicious link. When a user clicks the link, Windows automatically attempts to connect to an attacker-controlled SMB server. During this connection, the system may send NTLMv2 authentication information. This process can happen without the victim realizing what is taking place.

Although an NTLMv2 hash is not the same as a user’s password, it is still valuable to cybercriminals. Attackers can potentially use the captured data in NTLM relay attacks or attempt to crack it offline. Successful exploitation could help them gain unauthorized access to accounts and systems. This makes the vulnerability a serious concern for organizations and individual users alike.

Researchers reported the issue to Microsoft shortly after the company addressed the related Snipping Tool vulnerability. However, Microsoft decided not to release a security update for the Windows Search URI variant. According to Huntress, Microsoft stated that only vulnerabilities meeting specific severity requirements typically qualify for servicing. As a result, the issue remains unresolved and users currently have no official patch available.

One of the most concerning aspects of the vulnerability is that it does not require malware to be installed. Instead, it takes advantage of Windows’ built-in authentication mechanisms. A victim only needs to click a specially crafted link for the process to begin. The authentication request occurs silently in the background, making the attack difficult for users to detect.

Researchers have also pointed out that the vulnerability has not been assigned a CVE identifier. This means some organizations may not be tracking the issue through their normal vulnerability management processes. Security experts believe the flaw deserves attention because it shares similar behavior with previously patched vulnerabilities. They also warn that comparable weaknesses could exist in other Windows URI handlers.

Until Microsoft provides a fix, security experts recommend several protective measures. Organizations should block unnecessary outbound SMB traffic, especially on ports 445 and 139. Security teams are also encouraged to monitor for suspicious use of “search:” and “search-ms:” links across emails, websites, and logs. For now, proactive monitoring and strong network controls remain the best defense against this newly disclosed vulnerability.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news