Published on April 17, 2026
Windows Snipping Tool Vulnerability Allows Attacker to Perform Spoofing Over a Network
Severity
Medium
Detail
Microsoft has addressed a moderate-severity vulnerability in the Windows Snipping Tool that could allow attackers to steal user credentials through a spoofing attack.
Tracked as CVE-2026-33829, the flaw was patched as part of the April 14, 2026, security updates. The vulnerability was discovered and reported by security researchers at Blackarrow (Tarlogic), highlighting risks associated with improper handling of application URL schemes in Windows environments.
The issue exists in how the Windows Snipping Tool processes deep links using the ms-screensketch URI schema. Due to insufficient validation of user-supplied input, an attacker can exploit this behavior to trigger unintended network authentication requests. Specifically, the flaw allows an attacker to force the victim’s system to initiate an authenticated Server Message Block (SMB) connection to a malicious external server. This results in the leakage of the user’s NTLMv2 password hash.
| CVE ID | Summary | CVSS Score |
| CVE-2026-33829 | Windows Snipping Tool spoofing vulnerability leading to credential leakage. Classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. | 4.3 (Medium) |
Affected Products
The vulnerability impacts multiple versions of:
- Windows 10
- Windows 11
- Windows Server (2012 through 2025)
Recommendation
Organizations should implement the following mitigation strategies to secure networks against CVE-2026-33829:
- Immediately apply the official Microsoft security patches released on April 14, 2026.
- Block outbound SMB traffic (Port 445) at the network perimeter to prevent NTLM hashes from communicating with external servers.
- Educate employees about the dangers of clicking unknown links and unquestioningly approving application launch prompts from web browsers.
Source
https://cybersecuritynews.com/windows-snipping-tool-vulnerability/