CVE-2017-0145
CVE-2017-0145 is a high-severity vulnerability in Microsoft Server Message Block with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-10).
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-10)
- EU (EUVD) id: EUVD-2017-0512
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-10)
- Affected product: Microsoft Server Message Block
- Published:
- Last modified:
Description
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
CVE-2017-0145: Windows SMBv1 Remote Code Execution — The EternalBlue Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2017-0145 |
| Published | 2017-03-17 |
| CVSS v2 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.8985 (99.8th percentile) |
| KEV | Yes (since 2022-02-10) |
| EU Exploited | Yes (EUVD-2017-0512) |
| Ransomware | Yes |
| Assigner | [email protected] |
Summary
CVE-2017-0145 is a critical remote code execution vulnerability in the SMBv1 server implementation found in multiple Microsoft Windows versions. An unauthenticated remote attacker can exploit this flaw by sending specially crafted SMB packets to a target system, resulting in arbitrary code execution with full system privileges. The vulnerability is closely associated with the EternalBlue exploit and has been widely leveraged in ransomware campaigns, most notably WannaCry and NotPetya.
Background
Server Message Block version 1 (SMBv1) is a legacy network file-sharing protocol that has been part of the Windows ecosystem since the early 1990s. Despite its age, SMBv1 remained enabled by default on many Windows versions through 2016. The protocol handles authentication, file sharing, and printer services over TCP port 445. Its long history and complex message parsing made it a prime target for memory-corruption vulnerabilities. CVE-2017-0145 was disclosed by Microsoft in March 2017 as part of a larger patch release addressing multiple SMB-related vulnerabilities, including CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
Root Cause
The specific CWE identifier for this vulnerability is not specified in the available source data. However, the vulnerability stems from improper handling of specially crafted SMBv1 packets, most likely involving a memory corruption condition such as a buffer overflow or use-after-free within the SMBv1 server driver (srv.sys). When the SMBv1 server processes malformed packet structures — particularly during the negotiation or transaction phases — it fails to validate buffer bounds or pointer references adequately. This allows an attacker to overwrite critical memory regions, hijack control flow, and achieve remote code execution in kernel context.
Impact
The CVSS v2 base score of 9.3 and CVSS v3 score of 8.8 both classify this as a critical-severity vulnerability. The impact is total across the confidentiality, integrity, and availability triad:
- Confidentiality (C:C / C:H): A successful exploit grants the attacker complete access to all data on the target system, including sensitive files, credentials, and configuration data.
- Integrity (I:C / I:H): The attacker can modify, delete, or tamper with any file or system setting, effectively owning the system.
- Availability (A:C / A:H): The attacker can crash the system or render it inoperable, as demonstrated by the destructive NotPetya wiper.
The CVSS v3 vector indicates network attack vector (AV:N), low attack complexity (AC:L), and no user interaction required (UI:N), meaning the vulnerability is wormable and can propagate rapidly across networks with SMB exposed.
Exploitation Walkthrough
Ethics Caveat: This section describes the exploitation flow at a defensive, architectural level only. No weaponized exploit code or step-by-step reproduction instructions are provided. The goal is to help defenders understand the attack surface and design effective mitigations.
The exploitation chain typically follows this pattern:
- Reconnaissance: The attacker scans the target network for hosts with TCP port 445 (SMB) open and reachable from their position.
- SMBv1 Negotiation: The attacker initiates an SMBv1 session to the target. If the target responds with SMBv1 dialect support, the vulnerability is potentially present.
- Malformed Packet Crafting: The attacker sends a specially crafted SMBv1 packet — often during the
SMB_COM_TRANSACTION2_SECONDARYor similar transaction type — that triggers the memory corruption condition in the SMBv1 server driver. - Arbitrary Code Execution: Through careful manipulation of the corrupted memory region, the attacker redirects execution to a payload of their choosing. Because the SMBv1 server runs in kernel mode, the resulting code execution also occurs in kernel context with the highest possible privileges.
- Post-Exploitation: With kernel-level access, the attacker can deploy secondary payloads, move laterally, exfiltrate data, or install persistent backdoors such as DOUBLEPULSAR.
Affected and Patched Versions
Affected Products
The following Windows versions and configurations are confirmed vulnerable based on the CPE data in the source record:
- Microsoft Windows Vista SP2
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1511, 1607)
- Microsoft Windows Server 2016
- Server Message Block 1.0 (SMBv1) protocol component
Additionally, several Siemens medical devices (e.g., ACUSON P300, P500, SC2000, X700, and related systems) were identified as affected due to their embedded Windows-based operating systems.
Patched Versions
Specific patch information (KB numbers) is not included in the available source data. Organizations should consult the Microsoft Security Response Center advisory for CVE-2017-0145 to obtain the correct security update for their operating system version. Microsoft released the critical patch in March 2017 (MS17-010).
Remediation
- Apply Security Updates: Install the March 2017 Microsoft security updates (MS17-010) from the Microsoft Security Response Center for all affected Windows versions. Prioritize internet-facing and internal critical servers.
- Disable SMBv1: If SMBv1 is not required for legacy compatibility, disable it entirely. This is the strongest compensating control:
- On Windows 8.1 and Windows Server 2012 R2 and later, use the
Windows Featurescontrol panel or PowerShell (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol). - On Windows 7 and Server 2008 R2, disable the SMBv1 client and server via registry or Group Policy.
- On Windows 8.1 and Windows Server 2012 R2 and later, use the
- Network Segmentation: Restrict SMB traffic (TCP 445) to only trusted subnets and necessary hosts. Block SMB at the perimeter firewall and enforce host-based firewall rules internally.
- Enable SMB Signing: Configure SMB signing to prevent certain man-in-the-middle and relay attacks that may accompany SMB-based exploitation.
- Monitor for Legacy Protocols: Use asset discovery and configuration management tools to identify and retire any remaining SMBv1 usage in the environment.
Detection
Defenders can detect exploitation and post-exploitation activity through several telemetry sources:
- Network Signatures: Monitor for anomalous SMBv1 traffic patterns, large-volume SMB transfers to unexpected hosts, or known EternalBlue/DOUBLEPULSAR network signatures. Intrusion detection systems (IDS) and network traffic analysis (NTA) platforms may have built-in detection for these behaviors.
- Endpoint Detection: Look for kernel-level process injection, unexpected service installations, or the creation of named pipes associated with DOUBLEPULSAR backdoor activity.
- Windows Event Logs: Enable and audit SMB-related event logs. Event IDs related to SMB authentication anomalies or file-share access from unusual sources can indicate lateral movement.
- Vulnerability Scanning: Regularly scan for the presence of MS17-010 patches and active SMBv1 services to maintain an accurate exposure picture.
Assessment
CVE-2017-0145 is one of the most consequential Windows vulnerabilities of the past decade. With an EPSS score of 0.8985 (89.85% probability of exploitation in the wild) and placement in the 99.8th percentile, it represents an extreme risk. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and the European Union's exploited vulnerabilities database (EUVD-2017-0512) confirms sustained, real-world abuse. The WannaCry (May 2017) and NotPetya (June 2017) outbreaks demonstrated the global destructive potential of this flaw when combined with reliable exploit code.
Key Lessons:
- Legacy Protocols Are High-Risk Debt: SMBv1 was deprecated in practice for years before this vulnerability, yet its default-enable status on many systems created a massive, unaddressed attack surface. Security teams should treat legacy protocols as technical debt requiring active retirement roadmaps.
- Patch Velocity Matters: The WannaCry outbreak occurred roughly two months after Microsoft released patches. Organizations with slow or incomplete patching processes suffered disproportionately. This underscores the importance of rapid patch management, especially for wormable, network-exploitable critical vulnerabilities.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0145
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- http://www.securityfocus.com/bid/96705
- http://www.securitytracker.com/id/1037991
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
Frequently asked questions
- What is CVE-2017-0145?
- The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
- How severe is CVE-2017-0145?
- CVE-2017-0145 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0145 being actively exploited?
- Yes. CVE-2017-0145 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0145?
- CVE-2017-0145 primarily affects Microsoft Server Message Block. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0145?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0145 have an EU (EUVD) identifier?
- Yes. CVE-2017-0145 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0512. It is also flagged as exploited in the EUVD (since 2022-02-10).
- When was CVE-2017-0145 published?
- CVE-2017-0145 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96705
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0145
Affected products (16)
- cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Server Message Block
- CVE-2017-0146 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0144 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0143 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0148 — High (CVSS 8.1): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…