Windows Snipping Tool Vulnerability Allows Attacker to Perform Spoofing Over a Network

Microsoft has addressed a moderate-severity security flaw in the Windows Snipping Tool that could allow malicious actors to steal user credentials.

Tracked as CVE-2026-33829, this spoofing vulnerability was officially patched during the April 14, 2026, security updates.

Discovered and reported by security researchers at Blackarrow (Tarlogic), the flaw highlights the ongoing risks associated with application URL handlers in Windows environments.

CVE-2026-33829 holds a CVSS 3.1 score of 4.3 and is classified as an exposure of sensitive information to unauthorized actors (CWE-200).

The vulnerability resides in how the Windows Snipping Tool processes deep links. Specifically, the application fails to validate input when handling the ms-screensketch URI schema properly.

According to the vulnerability disclosure provided by Microsoft and Blackarrow, an attacker can exploit this weakness to force an authenticated Server Message Block (SMB) connection to a remote, attacker-controlled server.

While the exploit requires user interaction, the attack complexity is considered low. Here is how the attack chain operates based on the released proof-of-concept:

• Malicious Link Creation: Attackers craft a specific web link using the ms-screensketch: edit parameter.
• Deceptive Routing: The link points the filePath parameter to a malicious external SMB server.
• User Interaction: The attacker tricks the victim into clicking a link in a phishing email or on a compromised website, prompting the user to confirm launching the Snipping Tool program.
• Hash Theft: Once approved, Snipping Tool connects to the remote server to fetch the fake file, silently leaking the user’s NTLMv2 password hash in the background.
• Unauthorized Access: The attacker captures this hash and can use it to authenticate as the compromised user on the network.

Security experts warn that this vulnerability is highly adaptable for social engineering campaigns. An attacker could send a legitimate-looking webpage asking a user to crop a corporate wallpaper or edit a badge photo.

While the Snipping Tool opens normally on the user’s screen, making the request appear harmless, NTLM authentication occurs invisibly.

Although successful exploitation results in a loss of confidentiality, it does not allow the attacker to alter data (Integrity) or crash the system (Availability).

Microsoft notes that the exploit code maturity is currently unproven, and actual exploitation remains “Unlikely.” There are no reports of it being exploited in the wild.

Affected Systems

The vulnerability, detailed on GitHub, impacts a wide range of Microsoft operating systems, including multiple versions of Windows 10, Windows 11, and Windows Server from 2012 through 2025.

To secure networks against CVE-2026-33829, organizations should implement the following mitigation strategies:

• Immediately apply the official Microsoft security patches released on April 14, 2026.
• Block outbound SMB traffic (Port 445) at the network perimeter to prevent NTLM hashes from communicating with external servers.
• Educate employees about the dangers of clicking unknown links and unquestioningly approving application launch prompts from web browsers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.