Windows Snipping Tool Vulnerability Leaks NTLM Hashes via Malicious Links
CVE-2026-33829 in Windows Snipping Tool allows attackers to steal NTLMv2 hashes via malicious links. A public PoC exploit targets the ms-screensketch protocol to enable credential relay attacks.
MITRE ATT&CK® TTPs (1)
Click any technique to view details on attack.mitre.org
Executive Summary
A proof-of-concept exploit for a vulnerability in Microsoft's Windows Snipping Tool, tracked as CVE-2026-33829, has been publicly released. The flaw allows an attacker to silently steal a user's Net-NTLMv2 credential hash by tricking them into clicking a malicious link. The vulnerability is rooted in the tool's handling of the ms-screensketch deep link protocol, which can be abused to force the application to authenticate to an attacker-controlled server, according to analysis of the public PoC.
Technical Analysis
The vulnerability, CVE-2026-33829, is a logic flaw in the URI handler registration for the ms-screensketch protocol used by the Windows Snipping Tool (and its predecessor, Snip & Sketch). When a user clicks a specially crafted link (e.g., in a phishing email or webpage), the Snipping Tool is invoked. The application then attempts to load a remote resource, such as an image, from a server specified by the attacker within the malicious URI. This action triggers an automatic Windows authentication attempt, sending the user's Net-NTLMv2 hash to the attacker's server without any visible interaction or warning to the user beyond the Snipping Tool window opening.
The public proof-of-concept demonstrates that the attack is stealthy and requires no user interaction beyond the initial click. The stolen NTLM hash can then be used in pass-the-hash or relay attacks to gain unauthorized access to other network resources where the user has privileges, assuming the target environment does not enforce SMB signing or other NTLM relay mitigations. The flaw is present in the default configuration of supported Windows 10 and Windows 11 systems where the Snipping Tool is installed.
Tactics, Techniques & Procedures
The primary technique demonstrated is the abuse of the ms-screensketch URI protocol handler to initiate an unauthorized authentication attempt (T1189: Drive-by Compromise, T1601: Modify System Image). This leads to credential harvesting via the forced transmission of an NTLMv2 hash (T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay). The attack chain relies on initial access vectors like phishing (T1566) to deliver the malicious link.
Threat Actor Context
No specific threat actor has been publicly attributed to exploiting this vulnerability at this time. The public release of a functional proof-of-concept significantly lowers the barrier to entry for opportunistic attackers and ransomware affiliates seeking initial network footholds through credential theft. The technique is consistent with broader attacker trends focused on abusing legitimate Windows components and protocols for lateral movement.
Mitigations & Recommendations
Microsoft has not yet released a patch for CVE-2026-33829 as of the source publication date. The primary immediate mitigation is to disable the ms-screensketch URI protocol handler at the system level via the Windows Registry. Organizations should also enforce SMB signing on all systems to neutralize NTLM relay attacks, which is a critical control given the nature of the stolen credential. Network-level controls to block outbound SMB and related authentication traffic from workstations to the internet can prevent hash exfiltration. Users should be educated to avoid clicking on unsolicited links, though the attack leverages a trusted native application, reducing the effectiveness of user awareness alone.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
