Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
Vulnerability
Summary
Hide ▲
Show ▼
Windows search: URI handler has an unpatched NTLMv2 hash disclosure flaw that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The weakness is similar to CVE-2026-33829 and can trigger a connection to an attacker-controlled SMB server. Captured hashes may then be reused for relay attacks or authentication.
Related Happenings
CCB urgent patch warning for CVE-2026-41089 on Windows servers
Public Sector Action
H score48
First: 01.06.2026 15:30
Last: 01.06.2026 15:30
Sources 1
About this happening:
Belgium's CCB warned that CVE-2026-41089 is being actively exploited in the wild, urging admins to immediately patch vulnerable Windows servers because the fla...
CCB urgent patch warning for CVE-2026-41089 on Windows servers
Public Sector ActionAbout this happening: Belgium's CCB warned that CVE-2026-41089 is being actively exploited in the wild, urging admins to immediately patch vulnerable Windows servers because the fla...
GhostLock CreateFileW share-mode file-locking technique
Technical Analysis
H score24
First: 12.05.2026 01:02
Last: 12.05.2026 01:02
Sources 1
About this happening:
GhostLock exposes a file-locking technique that abuses Windows CreateFileW to deny access to files on local systems and SMB shares. Because the method relies on legiti...
GhostLock CreateFileW share-mode file-locking technique
Technical AnalysisAbout this happening: GhostLock exposes a file-locking technique that abuses Windows CreateFileW to deny access to files on local systems and SMB shares. Because the method relies on legiti...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
H score39
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A December 2025 APT28 campaign targeted Ukraine and E.U. nations with a malicious Windows Shortcut (LNK) chain that bypassed Microsoft Defender SmartScreen...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A December 2025 APT28 campaign targeted Ukraine and E.U. nations with a malicious Windows Shortcut (LNK) chain that bypassed Microsoft Defender SmartScreen...
Pirated software installer cryptojacking campaign
Campaign
H score35
First: 18.02.2026 18:00
Last: 18.02.2026 18:00
Sources 1
About this happening:
A cryptojacking campaign now spreads through pirated software bundles, using a multi-stage infection chain to deploy a bespoke XMRig miner and maintain persistence...
Pirated software installer cryptojacking campaign
CampaignAbout this happening: A cryptojacking campaign now spreads through pirated software bundles, using a multi-stage infection chain to deploy a bespoke XMRig miner and maintain persistence...
Microsoft NTLM phase-out and disable-by-default plan
Advisory/Mitigation
H score19
First: 02.02.2026 17:59
Last: 02.02.2026 17:59
Sources 1
About this happening:
Microsoft is rolling out a three-phase NTLM phase-out for Windows, pushing organizations to audit NTLM usage, migrate to Kerberos, and prepare for NTLM-off con...
Microsoft NTLM phase-out and disable-by-default plan
Advisory/MitigationAbout this happening: Microsoft is rolling out a three-phase NTLM phase-out for Windows, pushing organizations to audit NTLM usage, migrate to Kerberos, and prepare for NTLM-off con...
Timeline
-
03.06.2026 13:18 1 articles · 1mo ago
Microsoft declines to address Windows search URI handler NTLMv2 hash disclosure flaw
Legal Policy Action UpdateFollowing responsible disclosure on April 15, 2026, Microsoft declined to address the Windows search: URI handler issue, saying only Important and Critical severity cases meet its bar for servicing.
Show sources
- Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes — thehackernews.com — 03.06.2026 13:18
-
03.06.2026 13:18 2 articles · 1mo ago
Researchers disclose Windows search URI handler NTLMv2 hash leak
Initial DisclosureCybersecurity researchers disclosed an unpatched issue in the Windows search: URI handler that can induce a user's computer to connect to an attacker-controlled SMB server through a crafted `search:` link and `crumb=location:` UNC path, exposing the user's Net-NTLMv2 hash. Huntress said the flaw used the same NTLM leakage mechanism and prerequisites as earlier URI-handler abuse, with a technique similar to CVE-2023-35636 and the Windows Snipping Tool issue tied to CVE-2026-33829.
Show sources
- Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes — thehackernews.com — 03.06.2026 13:18
- Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes — thehackernews.com — 03.06.2026 13:18