Microsoft’s April 2026 Patch Tuesday brought a significant disclosure: a spoofing vulnerability in the widely used Windows Snipping Tool, tracked as CVE-2026-33829, that allows unauthorized attackers to harvest NTLMv2 authentication hashes from targeted users over a network, all without requiring any elevated privileges.
Discovered by security researchers at Blackarrow, the flaw was formally published on April 14, 2026, as part of Microsoft’s monthly security update cycle that addressed a total of 167 vulnerabilities across its product portfolio, including two actively exploited zero-days.
Windows Snipping Tool Vulnerability
CVE-2026-33829 is classified as a Spoofing Vulnerability in the Windows Snipping Tool, rooted in CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
According to Microsoft’s Security Response Center, the vulnerability enables an unauthenticated remote attacker to induce the target system to connect to an attacker-controlled SMB server, thereby disclosing the victim’s NTLMv2 hash. This credential artifact can be relayed or cracked offline to authenticate as the victim user.
The vulnerability carries a CVSS 3.1 base score of 4.3 (Moderate severity), with the environmental/temporal score adjusted to 3.8 due to the exploit code maturity being marked as “Unproven” and an official fix already available.
The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, confirming a Network attack vector with Low complexity, requiring no privileges but necessitating user interaction.
Windows Snipping Tool Bug Attack Works
The exploit chain for CVE-2026-33829 is deceptively straightforward and follows a social engineering path well-suited to phishing campaigns.
An attacker must first craft a malicious URL and embed it in a web page, email message, or document. Once the victim clicks the link and confirms launching the Snipping Tool application via the browser prompt, the Snipping Tool application is launched.
The crafted URL silently forces the target machine to initiate an outbound SMB (Server Message Block) connection to a remote server under the attacker’s control.
During this SMB handshake, Windows automatically transmits the user’s NTLMv2 hash as part of the authentication process, exposing the credential without the user’s knowledge or consent.
The attacker can then use this hash in NTLM relay attacks to authenticate as the user against other internal services, or attempt offline brute-force cracking to recover the plaintext password, making this vulnerability a meaningful pivot point in multi-stage intrusion scenarios.
Critically, the impact is limited to confidentiality; the flaw does not allow the attacker to modify data (no integrity impact) or disrupt service availability.
However, the stolen NTLMv2 hash enables lateral movement, privilege escalation, and persistent access across enterprise environments.
Affected Windows Versions
The breadth of affected systems is extensive, spanning virtually every actively supported Windows release (and some legacy releases). Confirmed affected platforms include:
- Windows 10: Versions 1607, 1809, 21H2, and 22H2 (x86, x64, ARM64)
- Windows 11: Versions 23H2, 24H2, 25H2, and 26H1 (x64, ARM64)
- Windows Server: 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2 Edition, and 2025 (including Server Core installations)
Security patches were released simultaneously for all affected platforms on April 14, 2026, with KB articles ranging from KB5082063 (Windows Server 2025) to KB5083769 (Windows 11 24H2/25H2) that address the flaw as a mandatory customer action.
While CVE-2026-33829 is rated Moderate and carries no known public exploitation at the time of disclosure, its real-world risk is amplified by its low attack complexity and the zero-privilege requirement for the attacker.
Security analysts and the Zero Day Initiative note that NTLMv2 hash disclosure vulnerabilities have historically served as reliable entry points in sophisticated attack chains, particularly when defenders are slower to patch legacy Windows Server environments.
The vulnerability also fits within a broader security pattern: the Windows Snipping Tool has previously been the subject of information disclosure research, confirming that the application’s image-handling, clipboard operations, and URL-launch behaviors create subtle but exploitable trust boundaries.
Notably, this Patch Tuesday also addressed CVE-2026-32183, a separate Remote Code Execution flaw in the same Snipping Tool application with a CVSS score of 7.8, suggesting the application is receiving concentrated security scrutiny.
Recommended Mitigations
Organizations should immediately prioritize the following actions:
- Apply the April 2026 Patch Tuesday updates using the relevant KB articles for your Windows version through Windows Update, WSUS, or SCCM/Intune deployment pipelines.
- Block outbound SMB traffic (TCP port 445) at the network perimeter to prevent NTLMv2 hash capture from external attacker-controlled servers.
- Enforce NTLMv2 restrictions via Group Policy, or migrate to Kerberos authentication where feasible to reduce hash relay exposure.
- Deploy phishing-resistant email filtering and URL inspection to intercept the socially engineered delivery mechanism before it reaches end users.
- Monitor SMB outbound connection logs for anomalous external destinations, which could indicate active exploitation attempts.
- Enable Microsoft Defender for Identity alerts for NTLM relay and pass-the-hash activity patterns.
The vulnerability was responsibly disclosed through coordinated disclosure with the Offensive Security Division of Tarlogic Security, and Microsoft has confirmed full acknowledgment of the research contribution.
Frequently Asked Questions
Q1: Is CVE-2026-33829 actively exploited in the wild?
No, Microsoft confirms the vulnerability has not been publicly disclosed or exploited at the time of patch release, with exploitation assessed as “Unlikely.”
Q2: What credentials does CVE-2026-33829 expose to an attacker?
The flaw leaks the victim’s NTLMv2 authentication hash to an attacker-controlled SMB server when the user opens a crafted malicious link.
Q3: Which Windows versions need to be patched for CVE-2026-33829?
All major Windows versions are affected, including Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), and Windows Server 2012 through 2025.
Q4: Can blocking SMB outbound traffic mitigate CVE-2026-33829 before patching?
Yes, blocking outbound TCP port 445 at the firewall prevents the NTLM hash from being sent to external attacker infrastructure, serving as an effective interim workaround.
Site: thecybrdef.com
About the Author
