CVE-2017-0144
CVE-2017-0144 is a high-severity vulnerability in Microsoft Server Message Block with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-10).
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-10)
- EU (EUVD) id: EUVD-2017-0511
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-10)
- Affected product: Microsoft Server Message Block
- Published:
- Last modified:
Description
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
CVE-2017-0144: Windows SMBv1 Remote Code Execution (EternalBlue)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-0144 |
| Published | 2017-03-17 |
| Severity (CVSS v3) | 8.8 — HIGH |
| CVSS v2 | 9.3 |
| EPSS | 0.9923 (99.23% probability) |
| EPSS Percentile | 99.93% |
| CISA KEV | Yes — added 2022-02-10 |
| EU Exploited | Yes — since 2022-02-10 |
| CWE | Unknown / not assigned in NVD record |
2. Summary
CVE-2017-0144 is a critical remote code execution (RCE) vulnerability in the Server Message Block version 1 (SMBv1) server implementation in multiple Microsoft Windows operating systems. An unauthenticated remote attacker can exploit this flaw by sending specially crafted packets to the SMBv1 server, resulting in arbitrary code execution with system-level privileges. This vulnerability is one of the most consequential in modern computing history, serving as the primary exploit vector for the WannaCry ransomware campaign in May 2017.
3. Background
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. SMBv1 is the original version of the protocol, dating back to the 1980s, and has been superseded by SMBv2 (introduced in Windows Vista) and SMBv3 (introduced in Windows 8 and Windows Server 2012).
CVE-2017-0144 was publicly disclosed by Microsoft on March 14, 2017, as part of Microsoft's monthly security update cycle (MS17-010). The vulnerability was among a cluster of SMB-related flaws patched simultaneously (CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148). It was later revealed that these vulnerabilities were among those allegedly exploited by the NSA and subsequently leaked by the Shadow Brokers group in April 2017, with the EternalBlue exploit specifically targeting CVE-2017-0144.
4. Root Cause
CWE: Unknown / not assigned.
The vulnerability stems from a memory corruption flaw in the SMBv1 server's handling of specially crafted packets. Specifically, the issue resides in how the SMBv1 server processes certain requests, failing to properly validate the size and structure of incoming data. This leads to a buffer overflow condition that can be leveraged by an attacker to execute arbitrary code in the kernel context.
The fundamental root cause is that SMBv1 contains legacy code paths that were not designed with modern security hardening principles. The protocol's complexity and age made it difficult to secure, and the specific flaw in CVE-2017-0144 allows an attacker to overwrite memory structures in a way that hijacks execution flow. The vulnerability can be triggered without any prior authentication, making it particularly dangerous for internet-facing or lateral-movement scenarios.
5. Impact
The impact of CVE-2017-0144 is catastrophic and aligns with its high CVSS scores:
-
CVSS v3 Score: 8.8 (HIGH)
- Attack Vector: Network (AV:N) — exploitable remotely over the network
- Attack Complexity: Low (AC:L) — no special conditions required
- Privileges Required: Low (PR:L) — though the vulnerability can be exploited without authentication, the CVSS v3 scoring reflects the attacker's position
- User Interaction: None (UI:N) — no user interaction needed
- Scope: Unchanged (S:U)
- Confidentiality Impact: High (C:H) — complete data disclosure
- Integrity Impact: High (I:H) — complete data modification
- Availability Impact: High (A:H) — complete system shutdown
-
CVSS v2 Score: 9.3
- Access Vector: Network (AV:N)
- Access Complexity: Medium (AC:M)
- Authentication: None (Au:N)
- Confidentiality: Complete (C:C)
- Integrity: Complete (I:C)
- Availability: Complete (A:C)
Successful exploitation grants the attacker complete control over the affected system, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights. The vulnerability has been weaponized in ransomware (WannaCry, NotPetya), botnets, and cryptocurrency miners.
6. Exploitation Walkthrough (Defensive Perspective)
Ethics Caveat: This section describes the exploitation mechanics from a defensive and detection perspective only. No working exploit code is provided, and this information is intended to help defenders understand how attacks occur and how to detect or prevent them.
Exploitation Flow:
-
Reconnaissance: The attacker identifies a target system with SMBv1 enabled on TCP port 445. Tools like Shodan, masscan, or internal network scans can identify exposed systems.
-
Initial Trigger: The attacker sends a malformed SMBv1 packet to the target. The packet is crafted to trigger the memory corruption condition in the SMBv1 server service (
srv.sys). -
Memory Corruption: The vulnerable SMBv1 server fails to properly validate the packet structure, leading to a buffer overflow. The attacker overwrites kernel memory structures to redirect execution flow.
-
Code Execution: The hijacked execution flow runs attacker-controlled code in kernel mode. This typically involves a "DoublePulsar" backdoor implant or similar payload that establishes persistent access.
-
Post-Exploitation: With kernel-level access, the attacker can:
- Deploy ransomware (as seen with WannaCry)
- Exfiltrate sensitive data
- Move laterally across the network using SMB credentials
- Install additional malware or backdoors
Key Detection Points:
- Unusual SMBv1 traffic patterns
- Large numbers of failed SMB connections followed by a successful connection
- Kernel crashes or unexpected system reboots on SMB servers
- Network traffic to known C2 domains associated with EternalBlue exploits
7. Affected and Patched Versions
Affected Operating Systems:
- Microsoft Windows Vista SP2
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows Server 2012 and Server 2012 R2
- Microsoft Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1511, 1607)
- Microsoft Windows Server 2016
Siemens Medical Devices (affected firmware versions):
- Siemens ACUSON P300 (firmware 13.02, 13.03, 13.20, 13.21)
- Siemens ACUSON P500 (firmware VA10, VB10)
- Siemens ACUSON SC2000 (firmware up to 5.0a)
- Siemens ACUSON X700 (firmware 1.0, 1.1)
- Siemens Syngo SC2000 (firmware up to 5.0a)
- Siemens Tissue Preparation System (all firmware versions)
- Siemens VERSANT kPCR Molecular System (all firmware versions)
- Siemens VERSANT kPCR Sample Prep (all firmware versions)
Patch Status:
Microsoft released security bulletin MS17-010 on March 14, 2017, which patches this vulnerability. Windows 10 Creators Update (version 1703) and later versions are not affected as they include the SMBv1 patches by default. Microsoft also released emergency patches for end-of-life operating systems (Windows XP, Windows Server 2003, Windows 8) after the WannaCry outbreak.
8. Remediation
Primary Remediation:
-
Apply MS17-010 immediately. All affected systems should be patched with the March 2017 security updates. This is the single most effective mitigation.
-
Disable SMBv1. If SMBv1 is not required for legacy compatibility, it should be permanently disabled. Microsoft provides detailed guidance on disabling SMBv1 through PowerShell, registry edits, or Group Policy.
-
PowerShell (Windows 8.1 / Server 2012 R2 and later):
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -
Registry (all affected versions):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 = 0 (DWORD)
-
Compensating Controls:
-
Network Segmentation: Isolate SMB traffic to internal networks only. Block TCP port 445 at the perimeter firewall.
-
Intrusion Detection/Prevention: Deploy IDS/IPS signatures for EternalBlue exploitation attempts. Most modern IDS systems have signatures for this vulnerability.
-
Endpoint Protection: Ensure anti-malware and EDR solutions are updated with EternalBlue detection capabilities.
-
Least Privilege: Apply the principle of least privilege to limit lateral movement if a single system is compromised.
-
Network Monitoring: Monitor for anomalous SMB traffic, especially from unexpected source IPs or unusual payload sizes.
9. Detection
Network Detection:
- Monitor for SMB traffic on port 445 from untrusted or unexpected sources
- Look for SMBv1 negotiate requests (
SMB_COM_NEGOTIATE) followed by rapid data transfer - Deploy SNORT/Suricata rules for EternalBlue exploit signatures (SID 42004, 42005, etc.)
- Monitor for DoublePulsar backdoor traffic patterns (trans2 SESSION_SETUP requests with unusual parameters)
Host Detection:
- Event ID 4625 (failed logon attempts) spikes on SMB servers
- Event ID 5156 (Windows Firewall allowed connection) for SMB from unexpected sources
- Monitor for the creation of new services or scheduled tasks following SMB connections
- Check for the presence of the DoublePulsar backdoor using specialized scanners
Log Sources:
- Windows Security Event Logs
- SMB Server Audit Logs
- Network flow logs (NetFlow, sFlow)
- Firewall and IDS/IPS logs
10. Assessment
EPSS and KEV Context:
CVE-2017-0144 has an EPSS score of 0.9923 (99.23% probability of exploitation in the wild), placing it in the 99.93rd percentile of all CVEs. This indicates an extraordinarily high likelihood of active exploitation. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, added on February 10, 2022, and is flagged as exploited in the EU since the same date.
The combination of high EPSS, KEV status, and historical exploitation (WannaCry, NotPetya, numerous botnets) makes this one of the highest-risk vulnerabilities still present in enterprise environments. Any unpatched system with SMBv1 enabled is effectively guaranteed to be compromised if exposed to a hostile network.
Key Lessons:
-
Legacy protocols are dangerous: SMBv1 is a 30+ year-old protocol with fundamental design flaws. Organizations should aggressively deprecate legacy protocols that lack modern security features.
-
Patch velocity matters: The WannaCry outbreak occurred more than a month after MS17-010 was released. Organizations with slow patch cycles paid a steep price. The incident underscores the need for rapid, automated patching for critical vulnerabilities.
-
Supply chain and IoT/medical device risks: The Siemens medical device entries in this CVE highlight that the vulnerability extends beyond traditional IT infrastructure. Medical devices, industrial control systems, and embedded systems often run on older Windows variants and are difficult to patch, creating persistent blind spots.
11. References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96704
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/42030/
- https://www.exploit-db.com/exploits/42031/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0144
Frequently asked questions
- What is CVE-2017-0144?
- The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
- How severe is CVE-2017-0144?
- CVE-2017-0144 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0144 being actively exploited?
- Yes. CVE-2017-0144 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0144?
- CVE-2017-0144 primarily affects Microsoft Server Message Block. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0144?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0144 have an EU (EUVD) identifier?
- Yes. CVE-2017-0144 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0511. It is also flagged as exploited in the EUVD (since 2022-02-10).
- When was CVE-2017-0144 published?
- CVE-2017-0144 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96704
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/42030/
- https://www.exploit-db.com/exploits/42031/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0144
Affected products (16)
- cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Server Message Block
- CVE-2017-0146 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0145 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0143 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0148 — High (CVSS 8.1): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…