Search
On this page ▾
CVE-2017-0143 — Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability

CVE-2017-0143

Microsoft Windows SMBv1 — EternalRomance: NSA Equation Group SMBv1 RCE Exposed by Shadow Brokers; WannaCry and NotPetya Ransomware Propagation; Patched MS17-010
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is SMBv1?

Server Message Block version 1 (SMBv1) is the original Windows file sharing and network communication protocol, designed in the 1980s for LAN file and printer sharing. SMBv1 is built into Windows and runs on TCP port 445. While superseded by SMBv2 (Vista) and SMBv3 (Windows 8), SMBv1 remained enabled by default in all Windows versions through Windows 10 1709, creating a decades-old attack surface exposed on virtually every Windows system in the world.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on November 3, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0143 is a remote code execution vulnerability in the Windows SMBv1 server component, patched in MS17-010 (March 14, 2017). It is part of the MS17-010 family — a group of SMBv1 vulnerabilities (CVE-2017-0143 through CVE-2017-0148) leaked by the Shadow Brokers as NSA Equation Group exploit tools in April 2017, one month after Microsoft's patch. CVE-2017-0143 corresponds to EternalRomance — one of the Shadow Brokers-published Equation Group tools that exploits SMBv1 transaction handling to achieve remote code execution. The entire MS17-010 family powered the catastrophic WannaCry (May 2017) and NotPetya (June 2017) ransomware/destructive malware outbreaks. CISA added CVE-2017-0143 to the KEV catalog in November 2021.

Affected Versions

Windows Version Status
Windows XP Vulnerable (no patch — Microsoft issued emergency XP patch May 2017)
Windows Vista SP2 Vulnerable
Windows Server 2003 Vulnerable (emergency patch May 2017)
Windows Server 2008 SP2 / R2 SP1 Vulnerable
Windows 7 SP1 Vulnerable
Windows 8.1 Vulnerable
Windows Server 2012 / 2012 R2 Vulnerable
Windows 10 (versions 1507–1703) Vulnerable
Windows Server 2016 Vulnerable
All above with MS17-010 applied Fixed
Windows 10 1709 and later Fixed (SMBv1 disabled by default)

Technical Details

Root Cause: SMBv1 Transaction Buffer Overflow

CVE-2017-0143 is a memory buffer vulnerability (CWE-119) in the Windows SMBv1 server's handling of transaction requests. The SMBv1 protocol supports transaction commands (SMB_COM_TRANSACTION, SMB_COM_TRANSACTION2, SMB_COM_NT_TRANSACT) that carry data and parameters in structured packets. The SMBv1 server improperly handles certain transaction packet structures, leading to memory corruption in the kernel-mode SMBv1 server driver (srv.sys).

Distinction from CVE-2017-0144 (EternalBlue):

  • CVE-2017-0143 (EternalRomance): PR:L — requires low-privilege access (NULL session or guest account); targets Windows Server specifically; exploits different SMBv1 code paths than EternalBlue
  • CVE-2017-0144 (EternalBlue): PR:N — no authentication required; the exploit used by WannaCry and NotPetya for mass propagation

Shadow Brokers Leak and WannaCry/NotPetya

The April 14, 2017 Shadow Brokers dump published EternalRomance (CVE-2017-0143) alongside EternalBlue (CVE-2017-0144) and other MS17-010 tools as NSA Equation Group capabilities. The tools provided ready-made exploits for these SMBv1 vulnerabilities, enabling rapid adoption by criminal and state actors:

  • WannaCry (May 12, 2017): Used EternalBlue (CVE-2017-0144) primarily, but the entire MS17-010 family (including CVE-2017-0143) contributed to the devastation
  • NotPetya (June 27, 2017): Used EternalBlue and EternalRomance (CVE-2017-0143) together for propagation across networks

Attack Characteristics

Attribute Detail
Attack Vector Network — TCP port 445 (SMBv1)
Authentication Low (NULL session or guest) required
Shadow Brokers Tool EternalRomance
Ransomware/Malware WannaCry, NotPetya, numerous ransomware families
Patch MS17-010 (March 14, 2017)

Discovery

Discovered by the NSA's Equation Group and weaponized as EternalRomance; publicly disclosed when the Shadow Brokers published the tool on April 14, 2017 — one month after Microsoft had patched it in MS17-010.

Exploitation Context

  • WannaCry and NotPetya: The MS17-010 family of vulnerabilities enabled the most damaging cyberattacks in history at the time — WannaCry infected 200,000+ systems in 150 countries in days; NotPetya caused $10+ billion in damages globally; both used SMBv1 for self-propagating worm-like spread
  • Unpatched systems long after patch: Despite the March 2017 patch, millions of Windows systems remained unpatched when WannaCry struck in May 2017; many organizations ran Windows 7/Server 2008 on critical systems without automated patching
  • EternalRomance in targeted attacks: Beyond mass ransomware campaigns, EternalRomance (CVE-2017-0143) was used by nation-state actors in targeted intrusions against specific organizations before and after the Shadow Brokers disclosure
  • CISA KEV (2021): Added November 3, 2021 in the initial KEV batch — among the most well-documented exploited vulnerabilities in history

Remediation

CISA BOD 22-01 Deadline: May 3, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS17-010 immediately — patch Windows systems with the March 2017 security update. This is one of the most critical patches in Windows history.

  2. Disable SMBv1 — SMBv1 is a 30+ year old protocol with no modern security properties; disable it on all systems:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

  3. Block SMBv1 at the network perimeter — block TCP port 445 inbound from the internet at firewall/perimeter. Internal segmentation should also restrict SMBv1 traffic between network zones.

  4. Segment internal networks — limit lateral movement by preventing SMBv1 traffic from propagating across VLAN boundaries; worm propagation requires SMBv1 reachability between hosts.

  5. Replace end-of-life Windows versions — Windows XP, Server 2003, and Server 2008 without extended support cannot receive regular patches; replace these systems urgently.

Key Details

PropertyValue
CVE ID CVE-2017-0143
Vendor / Product Microsoft — Windows
NVD Published2017-03-17
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2017-03-14Microsoft releases MS17-010 patching CVE-2017-0143 and related SMBv1 vulnerabilities (EternalBlue family)
2017-03-17CVE-2017-0143 published by NVD
2017-04-14Shadow Brokers leak NSA Equation Group tools including EternalRomance (CVE-2017-0143), EternalBlue (CVE-2017-0144), and others
2017-05-12WannaCry ransomware spreads globally using MS17-010 SMBv1 exploits
2017-06-27NotPetya destructive malware spreads globally using MS17-010 SMBv1 exploits
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0143 Vulnerability Database
CISA KEV Catalog Entry US Government
MS17-010 — Security Update for Windows SMB Server (March 2017) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML