A newly disclosed vulnerability in Microsoft’s Snipping Tool is drawing attention after a proof-of-concept (PoC) exploit demonstrated how easily user credentials can be exposed through a simple web-based attack.
Tracked as CVE-2026-33829, the flaw lies in how the tool handles deep link URI registrations using the ms-screensketch protocol. The application accepts a filePath parameter but does not validate it properly.
This allows attackers to insert a malicious UNC path that points to an external SMB server they control. Once triggered, the system initiates an authenticated SMB request, unintentionally sending the user’s Net-NTLM hash to the attacker.
The issue was identified by security researchers at Black Arrow and responsibly disclosed to Microsoft before being made public.
The attack requires minimal effort. A user only needs to open a malicious link or webpage that triggers the deep link automatically. When this happens, the Snipping Tool launches as expected, while silently attempting to load a remote resource. During this process, NTLM authentication data is transmitted in the background.
The exposed hash can then be cracked offline or used in NTLM relay attacks to gain access to internal systems.
What makes CVE-2026-33829 particularly concerning is its ability to blend into normal workflows. Since the Snipping Tool opens during the attack, it can be easily disguised as routine tasks such as editing images, reviewing documents, or responding to internal requests.
Attackers can further increase success rates by using realistic domains and convincing scenarios, making the activity appear legitimate.
Microsoft fixed the vulnerability in its April 14, 2026 Patch Tuesday update.
Disclosure timeline:
March 23, 2026 — Vulnerability reported
April 14, 2026 — Patch released
April 14, 2026 — Public disclosure and PoC release
Organizations and users are advised to install the latest updates immediately.
Security teams should monitor for unusual outbound SMB traffic on port 445, which may signal exploitation attempts. Blocking outbound SMB connections at the network perimeter remains an effective safeguard.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
