A newly discovered vulnerability in Microsoft’s Snipping Tool, identified as CVE-2026-33829, exposes users to potential Net-NTLM credential hash theft. Security experts from Black Arrow disclosed this issue, which allows cyber attackers to exploit the application’s handling of deep link URI registrations via the ms-screensketch protocol schema.
Understanding the Vulnerability
The flaw affects Windows Snipping Tool versions that improperly validate input when registering deep links. Attackers can exploit this by providing a UNC path that directs to a remote, malicious SMB server. This manipulation forces an authenticated SMB connection, capturing the victim’s Net-NTLM hash in the process.
Black Arrow’s security team discovered the vulnerability and worked with Microsoft to address it before sharing it publicly. The PoC exploit they released demonstrates the ease with which attackers can lure users to malicious URLs, subsequently triggering the Snipping Tool to connect to an attacker-controlled server.
Exploitation and Risks
Executing this exploit requires minimal technical know-how. By hosting a malicious URL or an HTML page that auto-triggers the deep link, attackers can deceive users into visiting it. During this process, the Snipping Tool attempts to load a remote resource, sending the user’s Net-NTLM authentication response to the attacker’s server, which can be used to crack credentials or facilitate NTLM relay attacks.
This vulnerability is particularly dangerous due to its potential for social engineering. The Snipping Tool opens upon exploitation, making the attack appear legitimate, such as an invitation to edit an image or document. This deception is especially effective in corporate settings where phishing emails often mimic internal communication.
Patch and Security Recommendations
Microsoft released a patch for this vulnerability on April 14, 2026, as part of its regular Patch Tuesday updates. It is crucial for organizations and users with affected versions to implement this update immediately to mitigate risks.
Security teams should also monitor network traffic for unusual outbound SMB connections to unknown hosts, which could signal exploitation attempts. Blocking outbound SMB traffic at the network perimeter is a recommended preventive measure.
Stay informed on cybersecurity developments by following us on Google News, LinkedIn, and X. To share your cybersecurity stories, don’t hesitate to reach out.
