Unpatched Windows Bug Leaks Hashes

An unpatched vulnerability in the Windows Search URI handler allows attackers to steal user NTLMv2 hashes, posing a significant security risk.

Cybersecurity researchers have disclosed an unpatched vulnerability in the Windows operating system's `search:` URI handler. The flaw, identified by security firm Huntress, allows an attacker to steal a user's NTLMv2 hash. By tricking a user into clicking a malicious link or opening a specially crafted file, an attacker can trigger the `search:` protocol to connect to a remote server they control. This connection attempt automatically sends the user's NTLMv2 hash, a cryptographic representation of their password used for authentication. Once captured, these hashes can be subjected to offline cracking attempts to recover the original password or used in "pass-the-hash" attacks to impersonate the user.

This issue is particularly concerning because it remains unpatched, leaving Windows systems vulnerable until Microsoft releases a security update. The vulnerability is conceptually similar to a previously discovered flaw, CVE-2026-33829, which affected the URI handler for the Windows Snipping Tool. The recurring pattern of exploiting URI handlers highlights a potential systemic weakness in how Windows manages these protocols. For businesses, this represents a significant risk, as a successful exploit could compromise user credentials, leading to data breaches and lateral movement within corporate environments. IT and security teams should be on high alert for any related suspicious network activity while awaiting an official patch.