EXECUTIVE SUMMARY:
CVE-2026-33829, with a CVSS score of 4.3 is a spoofing vulnerability in the Windows Snipping Tool that can expose a user's NTLMv2 hash to a remote attacker. The flaw resides in the application's handling of the ms-screensketch: URI scheme, where a specially crafted link can direct the Snipping Tool to access a file hosted on an attacker-controlled SMB share. If a user clicks the malicious link and approves the protocol launch, Windows automatically attempts SMB authentication to the remote server, leaking the victim's NTLMv2 hash without further interaction. Attackers can potentially use the captured hash in relay attacks, pass-the-hash techniques, or offline password-cracking attempts to gain unauthorized access to systems and network resources. Microsoft has addressed the vulnerability through security updates and recommends organizations apply the available patches promptly.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33829, with a CVSS score of 4.3 is a spoofing vulnerability in the Windows Snipping Tool that can expose a user's NTLMv2 hash to a remote attacker. The flaw resides in the application's handling of the ms-screensketch: URI scheme, where a specially crafted link can direct the Snipping Tool to access a file hosted on an attacker-controlled SMB share. If a user clicks the malicious link and approves the protocol launch, Windows automatically attempts SMB authentication to the remote server, leaking the victim's NTLMv2 hash without further interaction. Attackers can potentially use the captured hash in relay attacks, pass-the-hash techniques, or offline password-cracking attempts to gain unauthorized access to systems and network resources. Microsoft has addressed the vulnerability through security updates and recommends organizations apply the available patches promptly.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/windows-search-uri-flaw-leaks-ntlmv2-hashes/
[/emaillocker]