Critical Windows Snipping Tool Flaw CVE-2023-28303 Lets Attackers Spoof Networks
Key Takeaways A moderate-severity spoofing vulnerability (CVE-2026-33829) was discovered in the Windows Snipping Tool. The flaw could enable attackers to steal NTLMv2 password hashes through...
Key Takeaways
- A moderate-severity spoofing vulnerability (CVE-2026-33829) was discovered in the Windows Snipping Tool.
- The flaw could enable attackers to steal NTLMv2 password hashes through malicious deep links.
- All supported versions of Windows 10, Windows 11, and Windows Server (2012-2025) are affected.
- Microsoft released patches for this vulnerability on April 14, 2026.
Windows Snipping Tool Vulnerability Enables Credential Theft
Microsoft has addressed a security vulnerability within its Windows Snipping Tool that could have allowed malicious actors to compromise user credentials. This flaw, identified as CVE-2026-33829, is categorized as a moderate-severity spoofing vulnerability and was remedied as part of the scheduled security updates released on April 14, 2026.
Table Of Content
The discovery and subsequent reporting of this vulnerability were credited to security researchers at Blackarrow (Tarlogic). Their findings underscore the persistent security challenges posed by application URL handlers within Windows operating environments.
CVE-2026-33829 carries a CVSS 3.1 score of 4.3. It is primarily classified under CWE-200, which denotes the exposure of sensitive information to unauthorized entities. The core of the vulnerability lies in the Snipping Tool’s inadequate input validation when processing deep links, specifically those utilizing the ms-screensketch URI schema.
Exploitation Vector and Attack Chain
According to the joint vulnerability disclosure from Microsoft and Blackarrow, an attacker could exploit this weakness to compel an authenticated Server Message Block (SMB) connection to a server under their control. While user interaction is a prerequisite for exploitation, the overall attack complexity is rated as low. The proof-of-concept outlines the following attack sequence:
- Malicious Link Creation: An attacker constructs a specially crafted web link incorporating the
ms-screensketch: editparameter. - Deceptive Routing: The
filePathparameter within this link is configured to point to an external, malicious SMB server. - User Interaction: The victim is then socially engineered into clicking this link, typically via a phishing email or a compromised website. This action prompts the user to confirm the launch of the Snipping Tool application.
- Hash Theft: Upon user approval, the Snipping Tool attempts to connect to the remote server to retrieve a non-existent file. During this connection, the user’s NTLMv2 password hash is silently leaked to the attacker’s server in the background.
- Unauthorized Access: The attacker captures the stolen hash, which can then be used to authenticate as the compromised user on the network.
Cybersecurity experts caution that this vulnerability is highly suitable for social engineering tactics. An attacker could, for example, present a seemingly innocuous webpage instructing a user to crop a corporate image or modify a badge photograph. Although the Snipping Tool appears to function normally on the user’s screen, making the request seem harmless, the critical NTLM authentication occurs invisibly in the background.
Successful exploitation results in a loss of confidentiality but does not impact data integrity (alteration) or system availability (crashes). Microsoft has noted that the exploit code maturity is currently unproven, and the likelihood of exploitation is deemed “Unlikely,” with no reported instances of in-the-wild exploitation.
Affected Systems and Mitigation
The vulnerability, detailed on GitHub, affects a broad spectrum of Microsoft operating systems. This includes various versions of Windows 10, Windows 11, and Windows Server editions ranging from 2012 through 2025.
What You Should Do
- Apply the official Microsoft security patches released on April 14, 2026, immediately to all affected systems.
- Block outbound SMB traffic (Port 445) at the network perimeter to prevent NTLM hashes from being transmitted to external servers.
- Conduct ongoing employee training to raise awareness about the risks of clicking suspicious links and indiscriminately approving application launch prompts from web browsers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.