What Is SMBv1?
Server Message Block version 1 (SMBv1) is the original Windows file sharing protocol running on TCP port 445. SMBv1 was enabled by default in all Windows versions through Windows 10 1703, making it present on virtually every Windows system globally. The MS17-010 advisory identified a cluster of SMBv1 vulnerabilities (CVE-2017-0143 through 0148) developed as NSA Equation Group tools and leaked by the Shadow Brokers. Together, these vulnerabilities powered the WannaCry and NotPetya outbreaks — the most destructive cyberattacks in history at the time of occurrence.
Overview
CVE-2017-0145 is a remote code execution vulnerability in the Windows SMBv1 server, patched in MS17-010 (March 14, 2017). It corresponds to EternalChampion — one of the NSA Equation Group SMBv1 exploit tools leaked by the Shadow Brokers in April 2017. Like the companion CVE-2017-0143 (EternalRomance), CVE-2017-0145 requires low-privilege access (PR:L) to exploit — exploiting a different SMBv1 code path than the unauthenticated CVE-2017-0144 (EternalBlue). All MS17-010 vulnerabilities enabled the global spread of WannaCry (May 2017) and NotPetya (June 2017). CISA added CVE-2017-0145 to the KEV catalog in February 2022.
Affected Versions
| Windows Version | Status |
|---|---|
| Windows Vista SP2 through Windows 10 1703 | Vulnerable |
| Windows Server 2008 through 2016 | Vulnerable |
| All above with MS17-010 applied | Fixed |
| Windows 10 1709 and later | Fixed (SMBv1 disabled by default) |
Technical Details
Root Cause: SMBv1 Transaction Buffer Memory Corruption
CVE-2017-0145 is a memory buffer vulnerability (CWE-119) in the SMBv1 server kernel driver (srv.sys). The EternalChampion exploit targets SMBv1 transaction handling — specifically exploiting a race condition or memory management flaw in the SMBv1 transaction mechanism that differs from the EternalBlue/EternalRomance paths.
PR:L authentication requirement: The low-privilege requirement reflects that the EternalChampion exploit path requires a valid SMBv1 connection that has at least established a NULL session or guest-level authentication — unlike EternalBlue (CVE-2017-0144) which is fully unauthenticated. In practice, many Windows systems allow NULL sessions by default, making the authentication barrier minimal.
MS17-010 vulnerability family: All five RCE CVEs in MS17-010 (CVE-2017-0143, 0144, 0145, 0146, 0148) target different code paths in srv.sys, providing multiple routes to exploitation that collectively ensure at least one works against any given vulnerable Windows version. Metasploit and other frameworks implemented multiple MS17-010 exploit modules to maximize coverage.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — TCP port 445 (SMBv1) |
| Authentication | Low (NULL session typical) |
| Shadow Brokers Tool | EternalChampion |
| Ransomware/Malware | WannaCry, NotPetya, subsequent ransomware families |
| Patch | MS17-010 (March 14, 2017) |
Discovery
Discovered by the NSA's Equation Group; publicly disclosed when Shadow Brokers published the EternalChampion tool on April 14, 2017 — one month after the MS17-010 patch.
Exploitation Context
- WannaCry global outbreak: WannaCry (May 2017) used the MS17-010 SMBv1 exploit family to spread self-propagating ransomware to over 200,000 systems in 150 countries within days; hospitals, telecoms, and government agencies were severely impacted
- NotPetya destructive malware: NotPetya (June 2017, attributed to Russian GRU Sandworm) used EternalBlue and companion MS17-010 exploits (including CVE-2017-0145 tools) to spread devastating disk-wiping malware disguised as ransomware; total damages exceeded $10 billion globally
- Long-lived exploitation: MS17-010 SMBv1 exploits continue to be used years after the 2017 patch — unpatched SMBv1-enabled systems remain prevalent in operational technology (OT) networks, legacy Windows deployments, and organizations with poor patch hygiene
- CISA KEV (2022): Added February 2022 reflecting ongoing active exploitation
Remediation
-
Apply MS17-010 — patch all Windows systems with the March 2017 security update. This is mandatory.
-
Disable SMBv1 on all systems:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -
Block TCP port 445 at network perimeters — prevent SMBv1 traffic from the internet and between network segments where it is not required.
-
Enable Windows Defender Credential Guard and exploit protections — layered defenses reduce the impact of SMBv1 exploitation even on unpatched legacy systems.
-
Replace end-of-life Windows systems — Windows XP, Server 2003, and Windows 7/Server 2008 without ESU cannot receive regular patches; prioritize migration or isolation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-0145 |
| Vendor / Product | Microsoft — SMBv1 |
| NVD Published | 2017-03-17 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗ |
| CISA KEV Added | 2022-02-10 |
| CISA KEV Deadline | 2022-08-10 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-03-14 | Microsoft releases MS17-010 patching CVE-2017-0145 (EternalChampion) and related SMBv1 vulnerabilities |
| 2017-03-17 | CVE-2017-0145 published by NVD |
| 2017-04-14 | Shadow Brokers leak NSA Equation Group tools including EternalChampion (CVE-2017-0145) |
| 2017-05-12 | WannaCry ransomware global outbreak using MS17-010 SMBv1 exploits |
| 2022-02-10 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-08-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-0145 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| MS17-010 — Security Update for Windows SMB Server (March 2017) | Vendor Advisory |