Security researchers at Huntress have publicly disclosed an unpatched flaw in Windows that can be triggered with a single click to leak a user's NTLMv2 password hash to an attacker. Microsoft has not yet released a patch, and the issue affects the built-in Windows search: URI handler — meaning any up-to-date Windows 10 or Windows 11 PC is potentially exposed right now.
What the researchers found
On June 3, 2026, cybersecurity researchers disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker . The bug lives in the Windows search: URI handler — the same mechanism that lets a webpage or document pop open the Windows Search interface when you click a specially crafted link.
Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress. In plain English: a malicious link or document can quietly force your PC to reach out to an attacker-controlled server, and Windows hands over a scrambled version of your password (the NTLMv2 hash) in the process.
Why a leaked hash matters to a home or small-business user
An NTLMv2 hash is not your plaintext password, but attackers routinely crack these hashes offline or use them in "pass-the-hash" and "relay" attacks to log in as you on other systems. For a small business in York County, that can mean an attacker pivoting from one infected laptop to a file server, a QuickBooks machine, or a domain controller.
This is the same class of low-effort, high-impact bug that has historically been chained with phishing emails and booby-trapped Office documents. There is no exotic exploit kit required — just a link the user clicks. If you suspect a machine has already been compromised or is acting strangely after clicking a suspicious link, it's worth having a technician scan it for malware and credential theft tools before logging into anything sensitive.
There is no patch yet — here's how to reduce your risk
Because Microsoft has not shipped a fix, the practical defenses are behavioral and configuration-based:
- Do not click links from unknown senders, especially links that look like they would "open in Windows" (search:, ms-screensketch:, ms-officecmd:, etc.). - Be extra cautious with .lnk shortcut files, HTML attachments, and ZIP files from email. - On business networks, ask your IT provider about blocking outbound SMB (TCP 445) at the firewall, which neutralizes the most common way these hash-leak bugs get abused. - Keep Windows Update turned on so the patch installs the moment Microsoft releases it — likely on the next Patch Tuesday, June 10, 2026.
This is also a reminder that this class of bug keeps surfacing. The new search: URI issue follows the earlier ms-screensketch: URI handler flaw tracked as CVE-2026-33829 , so expect more URI-handler disclosures in the coming months.
Other Windows security activity this week
The Huntress disclosure landed in an already busy week for Windows defenders. A critical Windows Netlogon vulnerability, tracked as CVE-2026-41089, has emerged as a significant security concern after authorities warned that threat actors are actively attempting to exploit the flaw to gain remote code execution capabilities on vulnerable systems, with a CVSS severity score of 9.8, disclosed on May 12, 2026 as part of Microsoft's monthly Patch Tuesday updates. That bug primarily affects Windows servers acting as domain controllers, so it's more of a small-business/IT concern than a home-user one, but it underscores how aggressively attackers are weaponizing newly disclosed Windows flaws.
If you're running an older home PC or office workstation that has been putting off updates, this is a good week to install them. Machines that won't update, blue-screen during updates, or boot extremely slowly afterward are common reasons people bring in a desktop for diagnostics, and putting it off when active exploits are circulating is risky.
What This Means for York, PA
For York-area home users and small businesses, the practical takeaway is simple: be skeptical of links and attachments this week, make sure Windows Update is on, and if you think you've already clicked something suspicious, bring the PC in — 2069 Carlisle Rd is open Mon-Fri 9-5 and we can check for credential-theft activity before it spreads to other machines on your network.