Microsoft Windows Vulnerability Enables NTLM Hash Theft via Search URI Handler
AI-generated from multiple sources. Verify before acting on this reporting.
SEATTLE (Reuters) - A critical unpatched vulnerability in Microsoft Windows operating systems allows attackers to steal authentication credentials through the Windows search URI handler, security researchers said on Tuesday.
The flaw, identified by Huntress and other cybersecurity experts, stems from a failure in the Windows search: URI handler to properly validate parameters. This oversight enables malicious actors to trigger NTLM authentication requests and capture NTLMv2 hashes via Server Message Block (SMB) requests. Once obtained, these hashes can be used in relay attacks to gain unauthorized access to network resources.
The vulnerability affects multiple versions of the Windows operating system. Unlike typical security issues that are addressed through regular patch cycles, this specific flaw remains unpatched as of Tuesday morning. The issue allows attackers to induce NTLM authentication without user interaction, potentially compromising domain credentials and enabling lateral movement within corporate networks.
NTLMv2 hashes are cryptographic representations of user passwords used in Windows authentication. When attackers capture these hashes, they can attempt to relay them to other systems, tricking those systems into accepting the attacker as a legitimate user. This technique, known as a relay attack, can bypass password complexity requirements and grant access to sensitive data and administrative functions.
Microsoft has not yet issued a patch for the vulnerability. The company typically addresses such issues through its monthly Patch Tuesday updates or through out-of-band security bulletins for critical flaws. Security researchers have urged organizations to implement compensating controls while awaiting an official fix.
The discovery highlights ongoing challenges in securing complex operating system components. URI handlers are used to process specific types of links and commands within Windows, and vulnerabilities in these components can provide attackers with powerful exploitation vectors. The Windows search URI handler, in particular, is frequently accessed by users and applications, making it a valuable target for exploitation.
Cybersecurity experts recommend that organizations disable unnecessary URI handlers, implement network segmentation, and monitor for suspicious SMB traffic. These measures can help mitigate the risk of exploitation until Microsoft releases a patch.
The vulnerability was disclosed on Tuesday, June 3, 2026. Researchers have provided technical details to help organizations understand the threat and implement appropriate defenses. However, the exact scope of affected systems and the potential for widespread exploitation remain unclear.
Microsoft has not commented on the timeline for a patch or whether the vulnerability has been actively exploited in the wild. Security researchers continue to investigate the full impact of the flaw and are monitoring for signs of active attacks.
Organizations are advised to stay vigilant and prepare for potential incidents involving this vulnerability. The situation remains fluid as researchers work to understand the full extent of the threat and Microsoft works to develop a fix.