CVE-2017-0143
CVE-2017-0143 is a high-severity vulnerability in Microsoft Server Message Block with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 93% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2017-0510
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Server Message Block
- Published:
- Last modified:
Description
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
CVE-2017-0143: Windows SMBv1 Remote Code Execution Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-0143 |
| CVSS v2 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.93307 (93.3%) |
| KEV | Yes (listed 2021-11-03) |
| Ransomware | Yes |
| CWE | Not specified in source data |
Summary
The SMBv1 server implementation in Microsoft Windows Vista SP2 through Windows Server 2016 contains a remote code execution vulnerability. An unauthenticated remote attacker can send specially crafted packets to the SMBv1 service to execute arbitrary code with system-level privileges. This vulnerability is closely related to CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Background
Server Message Block version 1 (SMBv1) is a legacy network file sharing protocol that has been part of Windows operating systems for decades. SMBv1 is susceptible to numerous protocol-level weaknesses and has been deprecated by Microsoft in favor of SMBv2 and SMBv3. Despite deprecation recommendations, SMBv1 remained enabled by default on many Windows systems through 2017, providing a broad attack surface for this vulnerability class.
This vulnerability gained significant notoriety as it was one of the flaws exploited by the EternalBlue exploit tool, which was subsequently leveraged by the WannaCry and NotPetya ransomware campaigns in 2017.
Root Cause
The root cause lies in the way the SMBv1 server handles specially crafted packets. The protocol implementation fails to properly validate input data during certain SMB transaction processing, leading to memory corruption conditions that can be exploited for remote code execution. The specific CWE is not identified in the available source data, but the vulnerability class aligns with memory corruption flaws commonly categorized under improper input validation or buffer errors.
Impact
With a CVSS v2 base score of 9.3 and CVSS v3 score of 8.8, this is a critical-severity vulnerability. The impact is severe across all three security pillars:
- Confidentiality: Complete compromise — an attacker can read any data on the system.
- Integrity: Complete compromise — an attacker can modify or delete any data.
- Availability: Complete compromise — an attacker can render the system unavailable.
The EPSS score of 93.3% indicates an extremely high probability of exploitation in the wild. The vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively leveraged by ransomware operators.
Exploitation Walkthrough
Ethics Notice: The following describes the defensive understanding of how this vulnerability is exploited. No weaponized exploit code is provided. This information is intended to help defenders understand attack mechanics and improve detection capabilities.
- Reconnaissance: The attacker identifies a target system with TCP port 445 (SMB) exposed to the network.
- SMBv1 Negotiation: The attacker establishes an SMBv1 session with the target server.
- Malformed Packet Delivery: The attacker sends specially crafted SMB packets that trigger the memory corruption condition in the server's protocol handler.
- Code Execution: Successful exploitation results in arbitrary code execution in the context of the SYSTEM account, giving the attacker full control over the target machine.
From a defensive standpoint, this is a "one-packet" style remote code execution — no authentication is required, and the vulnerability is wormable, meaning it can propagate automatically across networks.
Affected and Patched Versions
Affected products (based on CPE data):
- Microsoft Windows Vista SP2
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1511, 1607)
- Microsoft Windows Server 2016
- Microsoft Server Message Block 1.0
- Philips IntelliSpace Portal 7.0 and 8.0
- Multiple Siemens medical devices (ACUSON P300, P500, SC2000, X700; Syngo SC2000; Tissue Preparation System; Versant kPCR systems)
Specific patch release dates and KB article numbers are not provided in the source data. Organizations should consult the official Microsoft Security Response Center advisory for authoritative patch guidance.
Remediation
- Apply Vendor Patches: Install the security updates provided by Microsoft for affected Windows systems. Refer to the official Microsoft advisory in the References section.
- Disable SMBv1: If SMBv1 is not required for business operations, disable it entirely. Microsoft provides guidance on disabling SMBv1 via registry settings, Group Policy, and PowerShell.
- Network Segmentation: Restrict SMB traffic (TCP 445) to only necessary internal segments. Do not expose SMB to untrusted networks, especially the internet.
- Firewall Rules: Block inbound SMB connections at perimeter firewalls.
- Compensating Controls: Enable Windows Defender Exploit Guard or equivalent endpoint protection mechanisms that can block exploitation attempts.
Detection
- Network Monitoring: Monitor for anomalous SMBv1 traffic, especially unexpected SMB session negotiations from external sources or lateral movement patterns.
- Endpoint Detection: Look for abnormal process spawning from the System process (PID 4) or
svchost.exehosting the SMB service. - IDS/IPS Signatures: Ensure intrusion detection systems have signatures for EternalBlue and SMBv1 exploitation attempts.
- Vulnerability Scanning: Regularly scan for systems with SMBv1 enabled and missing relevant security patches.
- CISA KEV Monitoring: Track CISA KEV catalog updates, as this CVE is actively monitored for federal remediation requirements.
Assessment
CVE-2017-0143 represents one of the most consequential Windows vulnerabilities of the past decade. With an EPSS above 93% and confirmed exploitation by ransomware operators, this is not a theoretical risk — it is a demonstrated, high-volume attack vector. The vulnerability's wormable nature and the prevalence of SMBv1 at the time of disclosure created conditions for global-scale incidents.
Key lessons:
- Legacy protocols carry outsized risk: SMBv1 was deprecated for years before this vulnerability was disclosed, yet broad enablement allowed massive impact.
- Patch velocity matters: The WannaCry outbreak occurred months after patches were available, highlighting the critical importance of rapid remediation for KEV-listed flaws.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0143
- http://www.securityfocus.com/bid/96703
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/43970/
Frequently asked questions
- What is CVE-2017-0143?
- The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
- How severe is CVE-2017-0143?
- CVE-2017-0143 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0143 being actively exploited?
- Yes. CVE-2017-0143 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0143?
- CVE-2017-0143 primarily affects Microsoft Server Message Block. In total, 18 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0143?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0143 have an EU (EUVD) identifier?
- Yes. CVE-2017-0143 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0510. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2017-0143 published?
- CVE-2017-0143 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96703
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/43970/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0143
Affected products (18)
- cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:philips:intellispace_portal:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:philips:intellispace_portal:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Server Message Block
- CVE-2017-0146 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0145 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0144 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0148 — High (CVSS 8.1): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…