Microsoft has addressed a newly discovered vulnerability in its Windows Snipping Tool application that could allow attackers to perform network spoofing and capture sensitive authentication data from users.
The flaw, tracked as CVE-2026-33829, was identified by security researcher Margaruga from BlackArrowSec’s Red Team. It exposes a weakness in how the Snipping Tool handles certain deep link requests, potentially enabling attackers to extract NTLM authentication hashes without direct system access.
At the center of the issue is a protocol known as “ms-screensketch,” which the Snipping Tool uses to process specific URI-based commands. Due to insufficient validation of the filePath parameter within this protocol, attackers can manipulate the application into connecting to a remote server controlled by them.
When this happens, the system automatically attempts authentication over SMB, inadvertently sending the user’s Net-NTLM hash to the attacker’s server. This creates a network spoofing scenario where attackers can capture credentials and potentially use them for further attacks, including impersonation or lateral movement within enterprise environments.
What makes this vulnerability particularly concerning is how easily it can be triggered. While it does require user interaction, the level of engagement needed is minimal. Simply opening a malicious link or visiting a compromised webpage could activate the exploit. In many cases, users may not even realize that any suspicious activity has occurred.
Security researchers demonstrated that attackers could disguise malicious links as legitimate image files or internal resources, increasing the likelihood of successful exploitation through social engineering. Once triggered, the Snipping Tool silently initiates a connection to the attacker’s server in the background, exposing authentication data without alerting the user.
Although the vulnerability does not directly grant full system access, NTLM hash leaks are often used as a stepping stone in larger attack chains. Threat actors can use these hashes to authenticate as users, escalate privileges, or move laterally across networks, especially in enterprise environments where NTLM is still widely used.
Microsoft has released a patch as part of its April 2026 security updates to address the issue. Security experts strongly recommend that organizations and individual users apply the update immediately to mitigate the risk.
This incident serves as another reminder that even seemingly simple applications can introduce significant security risks if not properly secured. As attackers continue to exploit overlooked features and protocols, maintaining up-to-date systems and educating users about phishing and malicious links remains essential.
Recommended Cyber Technology News:
- Microsoft Patches SharePoint Zero Day and 168 Flaws
- NWN Expands Partnership with Palo Alto Networks to Enhance Secure Access Monitoring
- Critical Nginx-UI Flaw Enables Full Server Takeover
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
