CVE-2017-0148
CVE-2017-0148 is a high-severity vulnerability in Microsoft Server Message Block with a CVSS 3.x base score of 8.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-06). The underlying weakness is classified as CWE-20.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 9.3
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-04-06)
- EU (EUVD) id: EUVD-2017-0515
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-04-06)
- Weakness: CWE-20
- Affected product: Microsoft Server Message Block
- Published:
- Last modified:
Description
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
CVE-2017-0148: Windows SMBv1 Remote Code Execution (EternalBlue Family)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2017-0148 |
| CWE | CWE-20: Improper Input Validation |
| CVSS v2 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |
| CVSS v3.1 | 8.1 HIGH (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 99.373% (percentile 99.935%) |
| KEV | Yes — listed since 2022-04-06 |
| Published | 2017-03-17 |
| Assigner | [email protected] |
Summary
CVE-2017-0148 is a remote code execution vulnerability in the SMBv1 server implementation shipped with Windows. An unauthenticated attacker can send specially crafted packets to a target system's SMBv1 service to achieve full arbitrary code execution with SYSTEM-level privileges. This flaw is part of the same vulnerability cluster as the EternalBlue exploit chain (CVE-2017-0143 through CVE-2017-0146) disclosed in the March 2017 Microsoft security update cycle and later weaponized by threat actors globally.
Background
Server Message Block version 1 (SMBv1) is a legacy network file-sharing protocol that has been present in Windows since the early 1990s. Despite the availability of more secure successors (SMBv2 and SMBv3), SMBv1 remained enabled by default on many Windows editions for backward compatibility. In early 2017, the Shadow Brokers leak exposed a set of Equation Group exploits, including EternalBlue, which targeted this exact SMBv1 attack surface. CVE-2017-0148 represents a related but distinct RCE path within the same SMBv1 handling code.
Root Cause
CWE-20: Improper Input Validation.
The SMBv1 server fails to properly validate the size and structure of incoming SMB packets before processing them. Specifically, crafted packets can trigger memory corruption conditions—such as buffer mishandling or integer issues—within the kernel-mode SMB driver (srv.sys). Because the parser operates in kernel space and does not adequately sanitize length fields or packet boundaries, malformed input propagates into memory operations that the attacker can steer toward arbitrary code execution. The vulnerability is exploitable without any prior authentication.
Impact
| Metric | Value |
|---|---|
| Confidentiality | Complete (HIGH in v3) |
| Integrity | Complete (HIGH in v3) |
| Availability | Complete (HIGH in v3) |
| Attack Vector | Network |
| Authentication | None required |
An successful exploit grants the attacker full control over the target system: read/write access to all files, ability to install persistent malware, lateral movement across the network, and encryption of data for ransom. The combination of network reachability, no credential requirement, and complete impact makes this vulnerability exceptionally severe. Its real-world impact was demonstrated at scale by the WannaCry (May 2017) and NotPetya (June 2017) campaigns.
Exploitation Walkthrough
Ethics caveat: This section describes the attack mechanics from a defensive and research perspective only. It does not contain weaponized exploit code, nor step-by-step instructions that would enable unauthorized access to systems. All information is derived from publicly available vendor advisories, NVD data, and verified research publications.
- Reconnaissance: The attacker identifies a reachable host with TCP port 445 open, indicating an active SMB service.
- Protocol negotiation: The attacker initiates an SMBv1 session. If the server responds with SMBv1 dialect support, the target is potentially vulnerable.
- Malformed packet delivery: The attacker sends one or more crafted SMB packets containing abnormal length fields or out-of-bounds offsets. These packets are designed to corrupt memory structures inside the SMB driver's packet-handling routines.
- Payload execution: By controlling the corrupted memory layout, the attacker redirects execution to shellcode of their choosing, typically achieving kernel-level or SYSTEM privileges without user interaction.
From a defender's perspective, the absence of authentication requirements and the ability to deliver the exploit as a single network packet make this attack extremely efficient for automated worms.
Affected and Patched Versions
Microsoft Windows
| Product | Affected Versions |
|---|---|
| Windows Vista | SP2 |
| Windows Server 2008 | SP2, R2 SP1 |
| Windows 7 | SP1 |
| Windows 8.1 | All |
| Windows RT 8.1 | All |
| Windows 10 | Gold (1507), 1511, 1607 |
| Windows Server 2012 | Gold, R2 |
| Windows Server 2016 | All |
Siemens Medical Devices
Multiple Siemens imaging and laboratory systems were also identified as vulnerable because they run embedded Windows variants with SMBv1 exposed. Affected product lines include Acuson P300, P500, SC2000, X700, and others. Siemens issued product-specific security advisories (SSA-701903, SSA-966341) with patch and mitigation guidance.
Patch status: Microsoft released security updates in MS17-010 (March 2017) that addressed this vulnerability. Systems patched with MS17-010 or later cumulative updates are protected.
Remediation
- Apply patches immediately. Install Microsoft security update MS17-010 or any subsequent cumulative update for your Windows version.
- Disable SMBv1. Unless explicitly required by a legacy application, disable the SMBv1 protocol via PowerShell (
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol) or Group Policy. SMBv1 is deprecated and should not be used in modern environments. - Network segmentation. Restrict SMB traffic (TCP 445) to trusted internal network segments. Block inbound SMB at the perimeter firewall.
- Compensating controls. If patching is temporarily impossible, deploy the Microsoft SMBv1 disable workaround and ensure endpoint protection products have signatures for EternalBlue/DOUBLEPULSAR traffic patterns.
Detection
- Network: Monitor for anomalous SMBv1 dialect negotiation from unexpected sources. IDS/IPS rules for EternalBlue/DOUBLEPULSAR shellcode patterns are widely available.
- Host: Look for abnormal
srv.syscrash events, unexpected processes spawning fromSystemorsvchost.exe, and unauthorized file modifications. - Behavioral: WannaCry and NotPetya both exhibited distinctive lateral-movement behavior over SMB; modern EDR platforms flag these patterns.
- Vulnerability scanning: Confirm whether TCP/445 responds with SMBv1; if so, the system may be unpatched.
Assessment
With an EPSS score of 99.373%, CVE-2017-0148 sits in the top 0.1% of all CVEs by probability of active exploitation. Its inclusion in CISA's Known Exploited Vulnerabilities catalog (since April 2022) and the EU Vulnerability Database confirms sustained threat-actor interest. The vulnerability's role in two of the most destructive ransomware worms in history makes it a canonical example of how a single unpatched network service can cascade into global damage.
Key lessons:
- Disable legacy protocols before they are weaponized. SMBv1 was obsolete long before 2017; leaving it enabled expanded the attack surface for the entire Windows ecosystem.
- Patch velocity matters. The WannaCry outbreak occurred more than a month after MS17-010 was released. Organizations with disciplined patch cycles avoided compromise entirely.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0148
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- http://www.securityfocus.com/bid/96706
- http://www.securitytracker.com/id/1037991
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
Frequently asked questions
- What is CVE-2017-0148?
- The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
- How severe is CVE-2017-0148?
- CVE-2017-0148 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0148 being actively exploited?
- Yes. CVE-2017-0148 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-06, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0148?
- CVE-2017-0148 primarily affects Microsoft Server Message Block. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0148?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0148 have an EU (EUVD) identifier?
- Yes. CVE-2017-0148 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0515. It is also flagged as exploited in the EUVD (since 2022-04-06).
- When was CVE-2017-0148 published?
- CVE-2017-0148 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/96706
- http://www.securitytracker.com/id/1037991
- https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148
- https://www.exploit-db.com/exploits/41891/
- https://www.exploit-db.com/exploits/41987/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0148
Affected products (16)
- cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Server Message Block
- CVE-2017-0146 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0145 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0144 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
- CVE-2017-0143 — High (CVSS 8.8): The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1;…
All CVEs affecting Microsoft Server Message Block →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →