Windows Snipping Tool Vulnerability (CVE‑2026‑33829) Enables NTLMv2 Hash Hijack and Pass‑the‑Hash Attacks
What Happened – A newly disclosed CVE (CVE‑2026‑33829) in the built‑in Windows Snipping Tool allows an attacker to force NTLMv2 authentication to a remote SMB server via a crafted ms‑screensketch:edit URI. When a user clicks a malicious link and approves the “Open Snipping Tool” prompt, Windows automatically transmits the user’s NTLMv2 hash (and additional hashes harvested through WPAD, LLMNR/MDNS poisoning) to the attacker, enabling Pass‑the‑Hash attacks.
Why It Matters for TPRM –
- Credential theft can give threat actors lateral movement across a third‑party’s network, exposing shared data.
- The exploit works on any unpatched Windows 10, 11, or Server 2012‑2025 endpoint, affecting a broad vendor base.
- Attackers can harvest multiple credential hashes from a single click, amplifying risk to downstream partners.
Who Is Affected – Enterprises across all sectors that run unpatched Windows 10/11 or Windows Server 2012‑2025, including MSPs, SaaS providers, and any organization that enables the Snipping Tool on employee workstations.
Recommended Actions –
- Deploy Microsoft’s April 2026 security update that mitigates CVE‑2026‑33829.
- If immediate patching is not possible, disable the Snipping Tool via Group Policy or AppLocker.
- Enforce SMB signing and disable NTLM where feasible; consider moving to Kerberos‑only authentication.
- Monitor for anomalous NTLM hash traffic and implement network‑level detection (e.g., Responder alerts).
Technical Notes – The exploit is triggered by a malicious ms‑screensketch:edit?filePath… URI delivered via a web page or email. It captures NTLMv2 hashes over SMB, HTTP (via WPAD), and fallback LLMNR/MDNS poisoning. CVSS 4.3 (Medium) but the practical impact is high due to credential reuse. Source: Exploit‑DB 52567