Search
On this page ▾
CVE-2017-0146 — Microsoft Windows SMB Remote Code Execution Vulnerability

CVE-2017-0146

Microsoft Windows SMBv1 — EternalSynergy: NSA Equation Group SMBv1 RCE; Shadow Brokers Leak; WannaCry/NotPetya Propagation; Patched MS17-010 (March 2017)
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is SMBv1?

Server Message Block version 1 (SMBv1) is the original Windows file sharing protocol running on TCP port 445. The MS17-010 advisory encompasses a cluster of SMBv1 vulnerabilities — CVE-2017-0143 through CVE-2017-0148 — all corresponding to NSA Equation Group exploit tools leaked by the Shadow Brokers. CVE-2017-0146 (EternalSynergy) is one of three low-privilege-required SMBv1 RCE variants in this family, complementing the unauthenticated EternalBlue (CVE-2017-0144). Together, these vulnerabilities enabled the worst ransomware and malware outbreaks in computing history.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0146 is a remote code execution vulnerability in the Windows SMBv1 server, patched in MS17-010 (March 14, 2017). It corresponds to EternalSynergy — an NSA Equation Group SMBv1 exploit tool that targets a different code path in the SMBv1 server than EternalBlue (CVE-2017-0144), with a low-privilege authentication requirement (PR:L). EternalSynergy combined with EternalBlue were used in WannaCry and NotPetya to achieve maximum propagation. CISA added CVE-2017-0146 to the KEV catalog in March 2022.

Affected Versions

Windows Version Status
Windows Vista SP2 through Windows 10 1703 Vulnerable
Windows Server 2008 through 2016 Vulnerable
All above with MS17-010 applied Fixed
Windows 10 1709 and later Fixed (SMBv1 disabled by default)

Technical Details

Root Cause: SMBv1 Transaction Handling Buffer Overflow

CVE-2017-0146 is a memory buffer vulnerability (CWE-119) in Windows SMBv1 server (srv.sys). EternalSynergy exploits a flaw in how the SMBv1 server processes specific transaction request packet structures, causing memory corruption in the kernel-mode driver that can be leveraged for code execution.

EternalSynergy distinguishing characteristics:

  • Like EternalRomance (CVE-2017-0143) and EternalChampion (CVE-2017-0145), EternalSynergy requires low-privilege SMBv1 access (PR:L), typically via NULL session
  • EternalSynergy is particularly effective against Windows 8 / Server 2012 and newer systems — while EternalBlue works best against Windows 7/Server 2008, EternalSynergy extended exploitation coverage to newer Windows versions
  • Multiple exploit tools targeting different code paths (EternalBlue, EternalRomance, EternalSynergy, EternalChampion) ensured at least one exploit worked on any given vulnerable Windows version

WannaCry and NotPetya Global Impact

The MS17-010 family's real-world impact was catastrophic:

  • WannaCry (May 12, 2017): Self-propagating ransomware that used EternalBlue and companion tools to spread across SMBv1-enabled networks; UK National Health Service (NHS) was severely disrupted; 200,000+ infections in 150 countries in 4 days; estimated damage $4-8 billion
  • NotPetya (June 27, 2017): Destructive malware using EternalBlue and EternalSynergy (CVE-2017-0146) attributed to Russian GRU Sandworm; specifically targeted Ukrainian infrastructure but spread globally; Maersk shipping, Merck pharmaceutical, FedEx/TNT suffered hundreds of millions in damages each; total damage exceeded $10 billion

Attack Characteristics

Attribute Detail
Attack Vector Network — TCP port 445 (SMBv1)
Authentication Low (NULL session)
Shadow Brokers Tool EternalSynergy
Target Windows Versions Effective on Windows 8/Server 2012 and newer
Ransomware/Malware WannaCry, NotPetya, subsequent campaigns

Discovery

Developed by the NSA's Equation Group; publicly disclosed when Shadow Brokers published the tool on April 14, 2017 — one month after Microsoft's MS17-010 patch.

Exploitation Context

  • Complementary MS17-010 exploit coverage: EternalSynergy (CVE-2017-0146) was specifically effective against Windows versions where EternalBlue was less reliable, ensuring the MS17-010 family could exploit the full range of Windows SMBv1 targets; this multi-exploit strategy maximized WannaCry/NotPetya propagation
  • Metasploit integration: The MS17-010 exploits (EternalBlue, EternalRomance, EternalSynergy, EternalChampion) were implemented in Metasploit shortly after the Shadow Brokers disclosure, making them accessible to all penetration testers and attackers with basic tooling
  • Ongoing exploitation: MS17-010 SMBv1 exploits remain in active use by ransomware operators against unpatched legacy systems; these are some of the most reliable and widely used network propagation exploits in attacker toolkits
  • CISA KEV (2022): Added March 2022, one of the most important vulnerabilities in KEV history

Remediation

CISA BOD 22-01 Deadline: April 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS17-010 — patch all Windows systems with the March 2017 security update immediately. No other single patch has more impact on preventing ransomware propagation.

  2. Disable SMBv1 — disable the SMBv1 protocol on all Windows systems:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

  3. Block TCP port 445 at network boundaries — prevent SMBv1 traffic from crossing internet and inter-VLAN boundaries.

  4. Network segmentation — segment networks so that SMBv1-enabled systems cannot propagate exploits across VLANs to production systems; ransomware worm behavior requires flat networks to spread widely.

  5. Monitor for SMBv1 traffic — alert on SMBv1 network traffic; in 2024+, SMBv1 traffic on any modern network is anomalous and warrants investigation.

Key Details

PropertyValue
CVE ID CVE-2017-0146
Vendor / Product Microsoft — Windows
NVD Published2017-03-17
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. Apply updates per vendor instructions.

Timeline

DateEvent
2017-03-14Microsoft releases MS17-010 patching CVE-2017-0146 (EternalSynergy) and related SMBv1 vulnerabilities
2017-03-17CVE-2017-0146 published by NVD
2017-04-14Shadow Brokers publish NSA Equation Group tools including EternalSynergy (CVE-2017-0146)
2017-05-12WannaCry ransomware uses MS17-010 to spread to 200,000+ systems globally
2017-06-27NotPetya destructive malware uses MS17-010 to spread; causes $10B+ damages
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0146 Vulnerability Database
CISA KEV Catalog Entry US Government
MS17-010 — Security Update for Windows SMB Server (March 2017) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML