CVE-2017-0144

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 10, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0144, known as "EternalBlue," is a remote code execution vulnerability in the Windows implementation of the SMBv1 protocol. Originally developed as a weaponized exploit by the U.S. National Security Agency (NSA), it was stolen and publicly released by the Shadow Brokers hacking group in April 2017. Within a month it was incorporated into the WannaCry ransomware worm, which infected over 200,000 systems in 150 countries in a single day. Two months later it powered NotPetya, a destructive wiper attributed to Russian military intelligence that caused an estimated $10 billion in global damages — the most destructive cyberattack in history at the time.

EternalBlue represents the convergence of three factors that produce maximum impact: a vulnerability in a ubiquitous protocol (SMBv1 enabled by default on all Windows versions), a powerful ready-made exploit (NSA-developed), and a wormable attack vector (no user interaction, self-propagating across networks).

What Is SMBv1?

Server Message Block version 1 (SMBv1) is a 1980s-era network file sharing protocol that Microsoft kept enabled by default on Windows through Windows 10 version 1709 (Fall Creators Update). Its age, complexity, and lack of modern security mitigations made it a persistent source of critical vulnerabilities. Microsoft deprecated SMBv1 in 2014 and has worked to disable it by default in modern Windows versions, but legacy systems and misconfigurations leave it exposed across enterprise networks.

Affected Versions

Windows Version	Status
Windows XP	Vulnerable (EOL — Microsoft patched via MS17-010 due to severity)
Windows Vista	Vulnerable
Windows 7	Vulnerable
Windows 8	Vulnerable
Windows 8.1	Vulnerable
Windows Server 2003	Vulnerable (EOL — emergency patch issued)
Windows Server 2008	Vulnerable
Windows Server 2008 R2	Vulnerable
Windows Server 2012	Vulnerable
Windows Server 2012 R2	Vulnerable
Windows 10	Vulnerable (SMBv1 enabled by default at time of disclosure)
Windows Server 2016	Vulnerable

All above versions are fixed by MS17-010 (March 14, 2017). Windows XP and Windows Server 2003 — already end-of-life — received emergency out-of-band patches due to the severity of active exploitation.

Technical Details

Root Cause: Buffer Overflow in SMBv1 Transaction2 Handling

The vulnerability is a buffer overflow in the Windows SMBv1 server's handling of Transaction2 (Trans2) SetupRequest packets. The SMBv1 server does not correctly validate the size of a specially crafted SetupCount field in a Transaction2 request, allowing an attacker to overflow a heap buffer in kernel memory (srv.sys).

The NSA-developed ETERNALBLUE exploit uses this overflow to corrupt kernel heap structures and achieve arbitrary kernel code execution without authentication. The exploit is network-accessible because SMBv1 is a network service — TCP port 445 — and requires no credentials or prior authentication (despite the NVD CVSS showing PR:L, which reflects the SMB guest session used; practically it requires no meaningful credentials).

The Shadow Brokers Leak

ETERNALBLUE was developed by the NSA's Tailored Access Operations (TAO) unit as part of a suite of SMB exploitation tools. In August 2016, a group calling itself the Shadow Brokers claimed to have stolen NSA hacking tools. After a failed auction attempt, they published the tools publicly on April 14, 2017 — four weeks after Microsoft had already released the MS17-010 patch. The leak included ETERNALBLUE, DOUBLEPULSAR (a kernel backdoor installer), ETERNALCHAMPION, ETERNALROMANCE, and other tools.

WannaCry

On May 12, 2017, the WannaCry ransomware worm was launched, incorporating ETERNALBLUE for initial access and DOUBLEPULSAR for persistence. WannaCry:

Spread autonomously, requiring no user interaction
Infected 200,000+ systems across 150 countries within 24 hours
Shut down hospitals across the UK's NHS, forcing ambulance diversions
Hit Telefónica, Deutsche Bahn, FedEx, Boeing, and hundreds of other large organizations
Was attributed by the US, UK, and Australian governments to North Korea (Lazarus Group)
Was stopped by a kill switch domain registered by security researcher Marcus Hutchins — WannaCry checked whether a specific domain resolved before executing, and Hutchins registered it for ~$10

NotPetya

On June 27, 2017, a second worm — initially called Petya but now known as NotPetya — launched, primarily targeting Ukraine but spreading globally. Unlike WannaCry, NotPetya was a destructive wiper designed to cause maximum damage rather than collect ransom. It:

Used EternalBlue for lateral movement, plus credential harvesting via Mimikatz
Caused ~$10 billion in damages — the most destructive cyberattack in recorded history at the time
Destroyed systems at Maersk (shipping), Merck (pharma), FedEx TNT, Mondelez, Reckitt Benckiser, and others
Was attributed to the Russian military intelligence unit Sandworm (GRU Unit 74455)

Attack Characteristics

Attribute	Detail
Attack Vector	Network — TCP port 445 (SMB)
Effective Privileges Required	None — SMB null/guest session satisfies the PR:L CVSS score
Wormable	Yes — self-propagating without user interaction
DOUBLEPULSAR	Companion kernel backdoor typically installed post-exploitation

Discovery

The vulnerability was developed into an exploit by the NSA's Tailored Access Operations unit at an unknown date prior to 2017. Microsoft discovered the vulnerability independently (or was tipped off) and patched it in MS17-010 on March 14, 2017 — notably including emergency patches for Windows XP and Server 2003, which were end-of-life. The NSA did not publicly credit the vulnerability prior to the Shadow Brokers leak. The Shadow Brokers published it on April 14, 2017, one month after the patch.

Exploitation Context

EternalBlue remains one of the most exploited vulnerabilities ever discovered, with active exploitation continuing years after patching:

WannaCry (May 2017): 200,000+ infections, $4–8 billion in damages, NHS disruption
NotPetya (June 2017): ~$10 billion in damages, attributed to Russian GRU
Bad Rabbit (October 2017): Ransomware targeting Russia and Eastern Europe
Adylkuzz (May 2017): Cryptocurrency mining botnet using EternalBlue
TrickBot / Emotet (2018–2020): EternalBlue used for lateral movement post-initial-access
Ongoing: Scanning for port 445 with EternalBlue payloads remains among the most common internet background noise

SMBv1 exposure remains prevalent on networks with legacy systems, industrial control systems, and embedded devices that cannot be easily patched.

Remediation

CISA BOD 22-01 Deadline: August 10, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

Apply MS17-010 immediately on all Windows systems. Verify patch status via systeminfo | findstr KB4012212 (or the relevant KB for your Windows version).
Disable SMBv1 — patching alone is insufficient if SMBv1 remains enabled; future SMBv1 vulnerabilities will re-expose the service:
```
Set-SmbServerConfiguration -EnableSMB1Protocol $false
```
Or via Group Policy: Computer Configuration → Administrative Templates → Network → Lanman Server → Enable insecure guest logons.
Block TCP port 445 at the perimeter firewall. SMB should never be exposed to the public internet. Internal segmentation should limit SMB access to only systems that require it.
Scan your network for unpatched systems using tools like Metasploit's smb_ms17_010 scanner module or Nmap's smb-vuln-ms17-010 script.
Windows XP / Server 2003: These systems are permanently end-of-life and should be isolated from all network access or replaced. Emergency patches were released but no future patches are available.

Property	Value
CVE ID	CVE-2017-0144
Vendor / Product	Microsoft — SMBv1
NVD Published	2017-03-17
NVD Last Modified	2025-10-22
CVSS 3.1 Score	8.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer
CISA KEV Added	2022-02-10
CISA KEV Deadline	2022-08-10
Known Ransomware Use	⚠️ Yes

Date	Event
2017-03-14	Microsoft releases MS17-010 patching CVE-2017-0144 and related SMBv1 flaws; unusually patches Windows XP (end-of-life)
2017-03-17	CVE-2017-0144 published
2017-04-14	Shadow Brokers publicly release NSA ETERNALBLUE exploit and related tools
2017-05-12	WannaCry ransomware worm launches global attack; infects 200,000+ systems in 150 countries within 24 hours
2017-05-12	Marcus Hutchins discovers WannaCry kill switch domain and registers it, slowing the outbreak
2017-06-27	NotPetya (Petya/ExPetr) destructive wiper deploys EternalBlue; causes ~$10 billion in global damages
2022-02-10	Added to CISA Known Exploited Vulnerabilities catalog
2022-08-10	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2017-0144	Vulnerability Database
CISA KEV Catalog Entry	US Government
Microsoft Security Response Center — CVE-2017-0144 (MS17-010)	Vendor Advisory
EternalBlue Technical Analysis — OPCDE	Security Research
BleepingComputer: WannaCry Ransomware Spreading Aggressively	Security Research
Security Affairs: WannaCry Global Attack Analysis	Security Research
CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer	Weakness Classification