Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch

Huntress detailed an unpatched NTLMv2-leak in the Windows search: protocol handler: a crafted link with a crumb=location: parameter pointing at an attacker UNC path makes Windows open an outbound SMB (TCP 445) connection and expose the user's Net-NTLMv2 challenge-response for offline cracking or relay (Huntress, 2026-06-03 · The Hacker News, 2026-06-03). The bug class is structurally identical to the Snipping Tool ms-screensketch: handler leak (CVE-2026-33829) patched in April; Huntress reported the search: variant a day later but Microsoft declined a CVE or fix, assessing it as Moderate severity — below the Important/Critical threshold of its servicing bar. Forced-authentication mapping is T1187. The single highest-value control neutralises the whole URI-handler leak class: block outbound SMB (TCP 445/139) at host firewall and perimeter for endpoints that don't need external shares, and enable EPA on NTLM-accepting services.