CVE-2017-0147
CVE-2017-0147 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-24).
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 4.3
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-24)
- EU (EUVD) id: EUVD-2017-0514
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-24)
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
CVE-2017-0147: Windows SMBv1 Information Disclosure Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2017-0147 |
| CVSS v3.1 | 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSS v2 | 4.3 (MEDIUM) — AV:N/AC:M/Au:N/C:P/I:N/A:N |
| EPSS | 0.99693 (99.7th percentile) |
| KEV | Yes — added 2022-05-24 |
| EU Exploited | Yes — since 2022-05-24 |
| Ransomware | Associated with ransomware campaigns |
| CWE | Not specified in source data |
Summary
CVE-2017-0147 is an information disclosure vulnerability in the SMBv1 server implementation across multiple Microsoft Windows operating systems. A remote, unauthenticated attacker can send crafted SMB packets to leak sensitive information from process memory. This vulnerability is part of the same vulnerability class as the EternalBlue exploit chain and has been actively exploited in the wild, including by ransomware operators.
Background
Server Message Block version 1 (SMBv1) is a legacy network file-sharing protocol that has been part of Windows for decades. Microsoft deprecated SMBv1 in 2014 and strongly recommends disabling it entirely due to its lack of modern security features. In March 2017, the Shadow Brokers leak disclosed multiple SMBv1-related vulnerabilities, including CVE-2017-0147, which enables information disclosure that can be chained with other flaws to achieve remote code execution (e.g., CVE-2017-0144 / EternalBlue).
Root Cause
The vulnerability stems from improper handling of specially crafted SMBv1 packets by the server. While the exact CWE is not specified in the source data, the flaw aligns with CWE-200: Exposure of Sensitive Information to an Unauthorized Actor — the SMBv1 server fails to adequately validate or sanitize incoming packet structures, allowing out-of-bounds memory reads or information leaks that expose kernel or process memory contents to a remote attacker.
Impact
- CVSS v3.1 Score: 7.5 (HIGH) — Network exploitable with low attack complexity, no privileges required, and no user interaction. The confidentiality impact is HIGH; integrity and availability impacts are NONE.
- CVSS v2 Score: 4.3 (MEDIUM) — Network exploitable with medium access complexity; partial confidentiality impact.
- Real-world risk: Despite being "information disclosure" on paper, this flaw is frequently chained with other SMBv1 vulnerabilities to achieve full remote code execution. The EPSS score of 0.99693 indicates near-certain probability of active exploitation. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been weaponized by ransomware groups.
Exploitation Walkthrough
Defensive Context Only — No Weaponized Code
An attacker on the same network (or reachable via the internet if SMBv1/TCP 445 is exposed) sends malformed SMBv1 negotiation or transaction packets to a vulnerable host. The server responds with memory contents that may include:
- Kernel pool allocations
- Session tokens or handles
- Addresses useful for defeating ASLR/KASLR
- Fragments of other processes' memory
This information is then used to craft a follow-up exploit (e.g., the DOUBLEPULSAR implant or EternalBlue RCE) to achieve code execution. The exploit-db references in this record document historical proof-of-concept techniques for defensive analysis and patching validation.
Ethics caveat: Running exploit tools against systems you do not own or have explicit permission to test is illegal and unethical. The references listed are for security research, patch verification, and incident response only.
Affected and Patched Versions
Affected Products (Microsoft)
- Windows Vista SP2
- Windows Server 2008 SP2 / R2 SP1
- Windows 7 SP1
- Windows 8.1
- Windows Server 2012 / R2
- Windows RT 8.1
- Windows 10 (1507, 1511, 1607)
- Windows Server 2016
Affected Products (Siemens — medical/industrial devices)
- ACUSON P300 (firmware 13.02–13.21)
- ACUSON P500 (firmware VA10, VB10)
- ACUSON SC2000 / syngo SC2000 (firmware 5.0a)
- ACUSON X700 (firmware 1.0–1.1)
- Tissue Preparation System
- VERSANT kPCR Molecular System / Sample Prep
Patched Versions
Microsoft released security updates in MS17-010 (March 2017) that address this vulnerability. Affected systems should be patched to the latest supported build. Systems beyond extended support (e.g., Windows Vista, Windows Server 2008 without ESU) require manual mitigation or upgrade.
Remediation
- Apply MS17-010 patches from Microsoft Update for all supported Windows versions.
- Disable SMBv1 entirely via Windows Features or PowerShell:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. This is the strongest long-term control. - Block inbound TCP 445 / 139 at the perimeter firewall unless strictly required.
- Enable SMB signing and require encryption (SMB 3.0+) for any remaining necessary file-sharing traffic.
- Segment legacy systems that cannot be patched or upgraded (e.g., embedded Siemens devices) onto isolated VLANs with no internet access and tightly controlled east-west traffic.
- Monitor for anomalous SMBv1 traffic — any SMBv1 connection in a modern environment should be treated as suspicious.
Detection
- Network: Monitor for unexpected SMBv1 protocol negotiation (NT LM 0.12 dialect) on TCP 445/139. IDS/IPS signatures for EternalBlue/DOUBLEPULSAR detection also cover this vulnerability class.
- Endpoint: Windows Event ID 1001 (SMBv1 client connections) can be enabled via registry; also monitor for abnormal lsass.exe or srv.sys behavior.
- Vulnerability Scanning: Confirm SMBv1 is disabled via registry key
SMB1underHKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters(value0). - Threat Intel: Cross-reference EPSS and KEV data — any asset with SMBv1 exposed and this CVE present should be treated as compromised-until-proven-otherwise.
Assessment
This is a high-confidence, actively exploited legacy vulnerability. The CVSS v3 score of 7.5 understates the real-world risk because CVE-2017-0147 is almost never exploited in isolation; it is a stepping stone toward full system compromise via the EternalBlue exploit chain. The EPSS of 0.99693 and KEV listing confirm it is a priority-1 remediation target.
Key lessons:
- Disable legacy protocols before they are weaponized. SMBv1 was deprecated years before this flaw was exploited at scale; organizations that had already disabled it were unaffected.
- Patch velocity matters. MS17-010 was available before the WannaCry and NotPetya outbreaks, yet unpatched systems caused billions in damage. Treat KEV-listed vulnerabilities with emergency patching SLAs.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0147
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/43970/
- http://www.securityfocus.com/bid/96709
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
Frequently asked questions
- What is CVE-2017-0147?
- The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
- How severe is CVE-2017-0147?
- CVE-2017-0147 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2017-0147 being actively exploited?
- Yes. CVE-2017-0147 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0147?
- CVE-2017-0147 primarily affects Microsoft Windows 10 1507. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0147?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0147 have an EU (EUVD) identifier?
- Yes. CVE-2017-0147 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0514. It is also flagged as exploited in the EUVD (since 2022-05-24).
- When was CVE-2017-0147 published?
- CVE-2017-0147 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96709
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.exploit-db.com/exploits/43970/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0147
Affected products (27)
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…