Back

Unpatched NTLM Vulnerability in Windows URI Handlers Exposes Credentials

Severity: Medium (Score: 48.9)

Sources: Huntress, www.varonis.com, github.com, Cybersecuritynews

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: thank, unpatched, ntlm, windows, search, handler, same

Severity indicators: bug, unpatched, no fix

Summary

A newly identified flaw in Windows URI handlers can leak NTLMv2 hashes to attacker-controlled servers with a single link click. This vulnerability is related to CVE-2026-33829, which was patched in the Windows Snipping Tool on April 14, 2026, but no CVE has been assigned for this variant. The issue arises from the ms-screensketch: URI handler, which does not validate the filePath parameter, allowing NTLM authentication to be triggered and exposing sensitive credentials. Attackers can exploit this flaw without requiring malware, merely by tricking users into clicking a link. The vulnerability affects Windows systems running the Snipping Tool and similar URI handlers. As of now, Microsoft has not provided a fix or acknowledged the new variant. Security professionals are urged to remain vigilant as this could facilitate unauthorized access to networks. Key Points: • A new NTLM vulnerability allows credential leakage via Windows URI handlers. • The flaw is similar to CVE-2026-33829 but lacks a CVE and fix. • Exploitation requires only a user to click a specially crafted link.

Detailed Analysis

**Impact** Windows users running versions including Windows 11 25H2 Pro (Build 26200.8524) are affected, particularly standard user accounts without admin privileges. The vulnerability enables attackers to capture Net-NTLMv2 hashes through a single link click, potentially exposing credentials across enterprise environments globally. This can facilitate unauthorized access, lateral movement, and credential relay attacks, impacting sectors reliant on Windows infrastructure. No specific numbers or geographic concentrations were provided. **Technical Details** The vulnerability exploits unpatched URI handlers in Windows, specifically the Snipping Tool’s `ms-screensketch:` and Windows Search’s URI schemes, which accept unsanitized UNC paths triggering NTLM authentication requests. Attackers use tools like Responder on attacker-controlled servers to capture Net-NTLMv2 hashes without user prompts. The known CVE-2026-33829 addresses the Snipping Tool flaw, but the Windows Search variant remains unpatched and unassigned a CVE. The attack occurs during the initial link activation phase, leveraging COM activation via DelegateExecute CLSID `{90b9bce2-b6db-4fd3-8451-35917ea1081b}`. No IOCs beyond the UNC path requests and attacker server IPs were detailed. **Recommended Response** Apply the April 14, 2026 patch for CVE-2026-33829 to mitigate the Snipping Tool URI handler issue; however, no patch exists for the Windows Search URI handler flaw. Monitor network traffic for unsolicited NTLM authentication attempts to unknown UNC paths and implement detection rules for suspicious outbound SMB or NTLM connections. Educate users to avoid clicking unsolicited or suspicious links containing URI schemes like `ms-screensketch:` or Windows Search variants. Maintain endpoint protection with default Defender settings and monitor for anomalous authentication activity.

Source articles (5)

  • Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix — Huntress · 2026-06-02
    Acknowledgments: A special thank you to Tyler Bohlmann , Jon Semon , Lindsey O'Donnell-Welch , Aaron Deal, and Beth Robinson for their contributions and edits to this blog. And a big thank you to Case…
  • Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix — Huntress · 2026-06-03
    Acknowledgments: A special thank you to Tyler Bohlmann , Jon Semon , Lindsey O'Donnell-Welch , Aaron Deal , and Beth Robinson for their contributions and edits to this blog. And a big thank you to Cas…
  • Windows Search URI Handler Flaw Leaks NTLMv2 Hashes to Attacker — Cybersecuritynews · 2026-06-03
    A newly disclosed flaw in the Windows URI handler can silently leak NTLMv2 hashes to attacker-controlled servers with nothing more than a single link click. This behavior is the same bug class as CVE-…
  • CVE-2026-33829 — github.com · 2026-06-02
  • Outlook Vulnerability New Ways To Leak Ntlm Hashes — www.varonis.com · 2026-06-03

Timeline

  • 2026-04-14 — CVE-2026-33829 published: Microsoft patched an NTLM credential coercion bug in the Windows Snipping Tool with a CVSS score of 4.3.
  • 2026-05-21 — First public PoC for CVE-2026-33829: A proof of concept was publicly shared demonstrating the vulnerability in the Snipping Tool.
  • 2026-06-02 — New NTLM vulnerability reported: A similar NTLM leakage issue in another Windows URI handler was reported, with no CVE assigned.
  • 2026-06-03 — Cybersecurity news coverage: Cybersecurity news outlets reported on the new NTLM vulnerability and its implications for Windows users.

CVEs

  • CVE-2026-33829

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Microsoft (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-20 - Improper Input Validation (Cwe)
  • newjersey.no (Domain)
  • 10.0.1.100 (Ipv4)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Edge (Platform)
  • Snipping Tool (Platform)
  • Windows (Platform)
  • Kali (Tool)
  • Responder (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed