CVE-2017-0147

CVE-2017-0147 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-24).

Key facts

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

CVE-2017-0147: Windows SMBv1 Information Disclosure Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2017-0147
CVSS v3.1 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2 4.3 (MEDIUM) — AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS 0.99693 (99.7th percentile)
KEV Yes — added 2022-05-24
EU Exploited Yes — since 2022-05-24
Ransomware Associated with ransomware campaigns
CWE Not specified in source data

Summary

CVE-2017-0147 is an information disclosure vulnerability in the SMBv1 server implementation across multiple Microsoft Windows operating systems. A remote, unauthenticated attacker can send crafted SMB packets to leak sensitive information from process memory. This vulnerability is part of the same vulnerability class as the EternalBlue exploit chain and has been actively exploited in the wild, including by ransomware operators.

Background

Server Message Block version 1 (SMBv1) is a legacy network file-sharing protocol that has been part of Windows for decades. Microsoft deprecated SMBv1 in 2014 and strongly recommends disabling it entirely due to its lack of modern security features. In March 2017, the Shadow Brokers leak disclosed multiple SMBv1-related vulnerabilities, including CVE-2017-0147, which enables information disclosure that can be chained with other flaws to achieve remote code execution (e.g., CVE-2017-0144 / EternalBlue).

Root Cause

The vulnerability stems from improper handling of specially crafted SMBv1 packets by the server. While the exact CWE is not specified in the source data, the flaw aligns with CWE-200: Exposure of Sensitive Information to an Unauthorized Actor — the SMBv1 server fails to adequately validate or sanitize incoming packet structures, allowing out-of-bounds memory reads or information leaks that expose kernel or process memory contents to a remote attacker.

Impact

  • CVSS v3.1 Score: 7.5 (HIGH) — Network exploitable with low attack complexity, no privileges required, and no user interaction. The confidentiality impact is HIGH; integrity and availability impacts are NONE.
  • CVSS v2 Score: 4.3 (MEDIUM) — Network exploitable with medium access complexity; partial confidentiality impact.
  • Real-world risk: Despite being "information disclosure" on paper, this flaw is frequently chained with other SMBv1 vulnerabilities to achieve full remote code execution. The EPSS score of 0.99693 indicates near-certain probability of active exploitation. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been weaponized by ransomware groups.

Exploitation Walkthrough

Defensive Context Only — No Weaponized Code

An attacker on the same network (or reachable via the internet if SMBv1/TCP 445 is exposed) sends malformed SMBv1 negotiation or transaction packets to a vulnerable host. The server responds with memory contents that may include:

  • Kernel pool allocations
  • Session tokens or handles
  • Addresses useful for defeating ASLR/KASLR
  • Fragments of other processes' memory

This information is then used to craft a follow-up exploit (e.g., the DOUBLEPULSAR implant or EternalBlue RCE) to achieve code execution. The exploit-db references in this record document historical proof-of-concept techniques for defensive analysis and patching validation.

Ethics caveat: Running exploit tools against systems you do not own or have explicit permission to test is illegal and unethical. The references listed are for security research, patch verification, and incident response only.

Affected and Patched Versions

Affected Products (Microsoft)

  • Windows Vista SP2
  • Windows Server 2008 SP2 / R2 SP1
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012 / R2
  • Windows RT 8.1
  • Windows 10 (1507, 1511, 1607)
  • Windows Server 2016

Affected Products (Siemens — medical/industrial devices)

  • ACUSON P300 (firmware 13.02–13.21)
  • ACUSON P500 (firmware VA10, VB10)
  • ACUSON SC2000 / syngo SC2000 (firmware 5.0a)
  • ACUSON X700 (firmware 1.0–1.1)
  • Tissue Preparation System
  • VERSANT kPCR Molecular System / Sample Prep

Patched Versions

Microsoft released security updates in MS17-010 (March 2017) that address this vulnerability. Affected systems should be patched to the latest supported build. Systems beyond extended support (e.g., Windows Vista, Windows Server 2008 without ESU) require manual mitigation or upgrade.

Remediation

  1. Apply MS17-010 patches from Microsoft Update for all supported Windows versions.
  2. Disable SMBv1 entirely via Windows Features or PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. This is the strongest long-term control.
  3. Block inbound TCP 445 / 139 at the perimeter firewall unless strictly required.
  4. Enable SMB signing and require encryption (SMB 3.0+) for any remaining necessary file-sharing traffic.
  5. Segment legacy systems that cannot be patched or upgraded (e.g., embedded Siemens devices) onto isolated VLANs with no internet access and tightly controlled east-west traffic.
  6. Monitor for anomalous SMBv1 traffic — any SMBv1 connection in a modern environment should be treated as suspicious.

Detection

  • Network: Monitor for unexpected SMBv1 protocol negotiation (NT LM 0.12 dialect) on TCP 445/139. IDS/IPS signatures for EternalBlue/DOUBLEPULSAR detection also cover this vulnerability class.
  • Endpoint: Windows Event ID 1001 (SMBv1 client connections) can be enabled via registry; also monitor for abnormal lsass.exe or srv.sys behavior.
  • Vulnerability Scanning: Confirm SMBv1 is disabled via registry key SMB1 under HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters (value 0).
  • Threat Intel: Cross-reference EPSS and KEV data — any asset with SMBv1 exposed and this CVE present should be treated as compromised-until-proven-otherwise.

Assessment

This is a high-confidence, actively exploited legacy vulnerability. The CVSS v3 score of 7.5 understates the real-world risk because CVE-2017-0147 is almost never exploited in isolation; it is a stepping stone toward full system compromise via the EternalBlue exploit chain. The EPSS of 0.99693 and KEV listing confirm it is a priority-1 remediation target.

Key lessons:

  1. Disable legacy protocols before they are weaponized. SMBv1 was deprecated years before this flaw was exploited at scale; organizations that had already disabled it were unaffected.
  2. Patch velocity matters. MS17-010 was available before the WannaCry and NotPetya outbreaks, yet unpatched systems caused billions in damage. Treat KEV-listed vulnerabilities with emergency patching SLAs.

References

Frequently asked questions

What is CVE-2017-0147?
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
How severe is CVE-2017-0147?
CVE-2017-0147 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2017-0147 being actively exploited?
Yes. CVE-2017-0147 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-0147?
CVE-2017-0147 primarily affects Microsoft Windows 10 1507. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-0147?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-0147 have an EU (EUVD) identifier?
Yes. CVE-2017-0147 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0514. It is also flagged as exploited in the EUVD (since 2022-05-24).
When was CVE-2017-0147 published?
CVE-2017-0147 was published on 2017-03-17 and last updated on 2026-06-17.

References

Affected products (27)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →