CVE-2017-0146

CVE-2017-0146 is a high-severity vulnerability in Microsoft Server Message Block with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25).

Key facts

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

CVE-2017-0146: Windows SMBv1 Remote Code Execution Vulnerability

AI-generated analysis based on the vulnerability data on this page.

CVE ID CVSSv2 CVSSv3 EPSS KEV CWE
CVE-2017-0146 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 0.89862 (99.78th percentile) Yes (since 2022-03-25) Not specified

Summary

The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 and R2, Windows RT 8.1, Windows 10 Gold/1511/1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets. This vulnerability is also known as "Windows SMB Remote Code Execution Vulnerability" and is distinct from CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

Background

SMBv1 is the original version of the Server Message Block protocol used for file sharing, printer access, and inter-process communication on Windows networks. Although superseded by SMBv2 and SMBv3, SMBv1 remained enabled by default in many Windows versions, exposing a broad attack surface. The vulnerability attracted significant attention following the public disclosure of related exploit frameworks.

Root cause

The specific CWE identifier is not provided in the available data. The vulnerability resides in the SMBv1 server’s handling of specially crafted packets, where insufficient validation enables memory corruption conditions that can be leveraged for remote code execution. Because the flaw exists in a core network-facing service, it can be triggered without local access.

Impact

With a CVSSv3 score of 8.8 (HIGH), the impact is severe. The confidentiality, integrity, and availability ratings are all HIGH. An attacker with network access can achieve complete system compromise, including arbitrary code execution with elevated privileges. The CVSSv2 score of 9.3 further underscores the criticality of this flaw.

Exploitation walkthrough

Attackers typically deliver the exploit by sending malicious SMB packets to a target on TCP port 445. The payload is designed to exploit the memory corruption condition in the SMBv1 server process, resulting in arbitrary code execution in the context of the service. This method has been actively used in the wild, as confirmed by the CISA Known Exploited Vulnerabilities catalog and referenced exploit-neutralization research.

Ethics caveat: This section describes exploitation concepts for defensive purposes only. Possession or use of weaponized exploit code against systems without explicit authorization is illegal and unethical. Security practitioners should use this knowledge solely to improve detection, patching, and network-hardening strategies.

Affected and patched versions

Affected versions include:

  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012 and Server 2012 R2
  • Windows RT 8.1
  • Windows 10 (Gold, 1511, 1607)
  • Windows Server 2016
  • Siemens medical devices (e.g., ACUSON P300, P500, SC2000, X700, syngo SC2000, Tissue Preparation System, VERSANT kPCR Molecular System and Sample Prep)

The available data does not enumerate specific patched build numbers. Administrators should consult the Microsoft Security Response Center advisory for definitive patch availability.

Remediation

  1. Apply security updates: Install the updates provided by Microsoft as referenced in the MSRC security guidance.
  2. Disable SMBv1: Where operationally feasible, disable the SMBv1 protocol entirely via Windows features or registry settings.
  3. Network segmentation: Restrict SMB traffic (TCP 445) to trusted hosts and segments.
  4. Compensating controls: Deploy host-based firewalls and intrusion-prevention rules that block unsolicited SMBv1 connections.
  5. Asset inventory: Identify Siemens and other embedded systems in the affected list that may require vendor-specific firmware updates.

Detection

  • Monitor network traffic for anomalous SMBv1 sessions, especially from untrusted sources.
  • Alert on unexpected inbound connections to TCP port 445.
  • Use endpoint detection and response (EDR) tools to identify abnormal process spawning by the SMB service.
  • Review historical proxy and firewall logs for post-exploitation beaconing patterns.

Assessment

EPSS places this vulnerability at 0.89862 with a 99.78th percentile ranking, indicating an extremely high probability of exploitation. It has been on the CISA KEV catalog since 2022-03-25, and the EU maintains an exploited-since date of the same day. This vulnerability is a textbook example of the risks posed by leaving legacy, unneeded network protocols enabled in production environments.

References

Frequently asked questions

What is CVE-2017-0146?
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
How severe is CVE-2017-0146?
CVE-2017-0146 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-0146 being actively exploited?
Yes. CVE-2017-0146 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-0146?
CVE-2017-0146 primarily affects Microsoft Server Message Block. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-0146?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-0146 have an EU (EUVD) identifier?
Yes. CVE-2017-0146 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0513. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2017-0146 published?
CVE-2017-0146 was published on 2017-03-17 and last updated on 2026-06-17.

References

Affected products (16)

More vulnerabilities in Microsoft Server Message Block

All CVEs affecting Microsoft Server Message Block →