Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

A previously undisclosed vulnerability in the Windows Search URI handler allows attackers to steal NTLMv2 hashes, potentially granting them access to sensitive information. This issue bears resemblance to CVE-2026-33829, a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler, which was recently disclosed. The search: URI handler vulnerability can be exploited to expose a user's NTLMv2 hash, similar to the previously reported CVE-2026-33829¹. The fact that this vulnerability remains unpatched expands the active attack surface, making it essential for practitioners to prioritize mitigation based on their exposure and available exploitation evidence. This vulnerability is particularly concerning as it could be used to gain unauthorized access to systems and data, emphasizing the need for prompt action to protect against potential attacks. The lack of a patch for this issue means that users are left to rely on workarounds and mitigations to prevent exploitation, making it crucial for security teams to stay vigilant and monitor for signs of attack.