Back

Unpatched NTLM Vulnerability in Windows Search URI Handlers Exposes Credentials

Severity: Medium (Score: 51.9)

Sources: www.varonis.com, github.com, Huntress

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: thank, unpatched, ntlm, windows, search, handler, same

Severity indicators: bug, unpatched, no fix

Summary

On April 14, 2026, Microsoft patched CVE-2026-33829, an NTLM credential coercion bug in the Windows Snipping Tool, which had a CVSS score of 4.3. The vulnerability allowed attackers to exploit the ms-screensketch: URI handler, leading to the exposure of a victim's Net-NTLMv2 hash through a simple link click. This bug did not require malware and could be utilized in NTLM relay attacks or offline password cracking. Following the patch, a similar vulnerability was reported in another URI handler, but it was closed without a CVE or fix. The same NTLM coercion mechanism was involved, indicating a broader issue within Windows URI handlers. Users on Windows 11 25H2 Pro, with default Defender settings, are at risk if they click on specially crafted links. The vulnerability highlights a significant gap in Microsoft's handling of URI security. As of now, there is no fix for the newly reported issue. Key Points: • CVE-2026-33829 patched on April 14, 2026, addresses an NTLM coercion bug. • A similar vulnerability was reported but closed without a CVE or fix, indicating ongoing risks. • Attackers can exploit these vulnerabilities without malware, simply through user interaction.

Detailed Analysis

**Impact** Windows 11 users running version 25H2 Pro, Build 26200.8524, particularly standard user accounts without admin privileges, are affected. The vulnerability allows attackers to capture Net-NTLMv2 hashes without malware installation or complex exploits, potentially enabling lateral movement or unauthorized access in enterprise networks. The issue impacts any organization relying on NTLM authentication, with no geographic or sector limitations specified. The first invocation per logon leaks credentials, making phishing campaigns highly effective. **Technical Details** The attack exploits unpatched NTLM credential coercion in Windows URI handlers, specifically the ms-screensketch: and a second unnamed URI scheme using crumb=location:. Both trigger automatic outbound UNC path connections that leak Net-NTLMv2 hashes via NTLM authentication. The CVE-2026-33829 patch addresses only the Snipping Tool’s ms-screensketch: handler; the second handler remains unpatched and unassigned a CVE. The attack requires user interaction via a specially crafted link, executable from command line or browser click, and uses tools like Responder to capture hashes. The vulnerability abuses DelegateExecute COM activation with CLSID {90b9bce2-b6db-4fd3-8451-35917ea1081b}. **Recommended Response** Apply the April 14, 2026, patch for CVE-2026-33829 to remediate the Snipping Tool URI handler vulnerability. Monitor network traffic for unexpected outbound SMB/NTLM authentication attempts to unknown UNC paths, especially following user link clicks. Deploy detections for Responder or similar NTLM relay tools in the environment. Since the second URI handler remains unpatched, restrict or block execution of untrusted URI schemes and educate users to avoid clicking suspicious links. No fix is currently available for the second handler; continuous monitoring is essential.

Source articles (4)

  • Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix — Huntress · 2026-06-02
    Acknowledgments: A special thank you to Tyler Bohlmann , Jon Semon , Lindsey O'Donnell-Welch , Aaron Deal, and Beth Robinson for their contributions and edits to this blog. And a big thank you to Case…
  • Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix — Huntress · 2026-06-03
    Acknowledgments: A special thank you to Tyler Bohlmann , Jon Semon , Lindsey O'Donnell-Welch , Aaron Deal , and Beth Robinson for their contributions and edits to this blog. And a big thank you to Cas…
  • CVE-2026-33829 — github.com · 2026-06-02
  • Outlook Vulnerability New Ways To Leak Ntlm Hashes — www.varonis.com · 2026-06-03

Timeline

  • 2026-04-14 — CVE-2026-33829 patched: Microsoft released a patch for an NTLM credential coercion bug in the Windows Snipping Tool.
  • 2026-05-21 — First public PoC for CVE-2026-33829: A proof of concept for the NTLM coercion vulnerability was made public, demonstrating its exploitability.
  • 2026-06-02 — Similar vulnerability reported: A new vulnerability using the same NTLM coercion mechanism was reported but closed without a CVE or fix.
  • 2026-06-03 — Second article published: A follow-up article reiterated the issues surrounding the unpatched NTLM leakage in Windows URI handlers.

CVEs

  • CVE-2026-33829

Related entities

  • Phishing (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-20 - Improper Input Validation (Cwe)
  • newjersey.no (Domain)
  • 10.0.1.100 (Ipv4)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Edge (Platform)
  • Snipping Tool (Platform)
  • Windows (Platform)
  • Kali (Tool)
  • Responder (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed