Search
On this page ▾
CVE-2017-0148 — Microsoft SMBv1 Server Remote Code Execution Vulnerability

CVE-2017-0148

Microsoft Windows SMBv1 — EternalSynergy/EternalBlue-Related SMBv1 RCE; Shadow Brokers Leak; WannaCry/NotPetya Propagation; Patched MS17-010 (March 2017)
⚠️ CVSS 3.1  8.1 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is SMBv1?

Server Message Block version 1 (SMBv1) is the original Windows file and printer sharing protocol on TCP port 445. Microsoft's MS17-010 security advisory (March 2017) patched a cluster of SMBv1 vulnerabilities (CVE-2017-0143 through 0148) corresponding to NSA Equation Group tools leaked by Shadow Brokers. CVE-2017-0148 is the fifth RCE variant in this family — distinguished by its unauthenticated (PR:N) but high-complexity (AC:H) exploitation profile, different from both the unauthenticated EternalBlue (CVE-2017-0144, AC:L) and the low-privilege RCE variants (CVE-2017-0143, 0145, 0146).

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 6, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0148 is a remote code execution vulnerability in the Windows SMBv1 server, patched in MS17-010 (March 14, 2017). It is the fifth RCE variant in the MS17-010 family of SMBv1 vulnerabilities leaked by Shadow Brokers as NSA Equation Group tools in April 2017. CVE-2017-0148 is unauthenticated (PR:N) but requires high complexity (AC:H), indicating exploitation requires specific conditions or a more sophisticated technique than the straightforward EternalBlue exploit. Like all MS17-010 vulnerabilities, CVE-2017-0148 was used in WannaCry (May 2017) and NotPetya (June 2017). CISA added CVE-2017-0148 to the KEV catalog in April 2022.

Affected Versions

Windows Version Status
Windows Vista SP2 through Windows 10 1703 Vulnerable
Windows Server 2008 through 2016 Vulnerable
All above with MS17-010 applied Fixed
Windows 10 1709 and later Fixed (SMBv1 disabled by default)

Technical Details

Root Cause: SMBv1 Buffer Overflow with High Exploitation Complexity

CVE-2017-0148 is a memory buffer vulnerability (CWE-119) in the SMBv1 server kernel driver (srv.sys). Unlike the other MS17-010 RCE variants, CVE-2017-0148 is assessed as AC:H (Attack Complexity: High), indicating that exploitation requires:

  • Specific environmental conditions (particular Windows version, SMBv1 configuration, or system state)
  • A race condition or timing-dependent trigger
  • Prior information about the target's memory layout (potentially from CVE-2017-0147 information disclosure)
  • Or a more complex payload construction than EternalBlue's straightforward approach

Unauthenticated advantage: Despite the higher complexity, CVE-2017-0148 is PR:N (no authentication required) — unlike CVE-2017-0143, 0145, 0146 which need NULL session access. This makes CVE-2017-0148 exploitable from a position where no SMBv1 session has been established, potentially useful in environments with stricter SMBv1 authentication policies that block NULL sessions.

MS17-010 Complete Vulnerability Family

All five RCE CVEs in MS17-010 target different SMBv1 code paths, ensuring broad exploitation coverage:

CVE Name CVSS Auth Required
CVE-2017-0143 EternalRomance 8.8 Low (PR:L)
CVE-2017-0144 EternalBlue 8.1 (AC:H) None (PR:N)
CVE-2017-0145 EternalChampion 8.8 Low (PR:L)
CVE-2017-0146 EternalSynergy 8.8 Low (PR:L)
CVE-2017-0148 (Fifth variant) 8.1 (AC:H) None (PR:N)

All are patched by MS17-010.

Attack Characteristics

Attribute Detail
Attack Vector Network — TCP port 445 (SMBv1)
Authentication None required
Complexity High — specific conditions required
Impact Remote code execution in kernel context
Ransomware WannaCry, NotPetya, subsequent campaigns

Discovery

Developed by the NSA's Equation Group; disclosed publicly when Shadow Brokers published the MS17-010 toolkit on April 14, 2017 — one month after Microsoft's patch.

Exploitation Context

  • Complementary toolkit coverage: CVE-2017-0148's unauthenticated but high-complexity profile complemented EternalBlue (also unauthenticated) and provided an alternative exploitation path when EternalBlue's specific technique failed; the NSA's toolkit included multiple variants for maximum target coverage
  • WannaCry and NotPetya deployment: The MS17-010 toolkit that powered WannaCry and NotPetya included all five RCE variants plus the information disclosure; operators selected the appropriate exploit based on the target Windows version and configuration
  • Continued active exploitation: MS17-010 exploits remain in widespread use years after the 2017 patch, targeting unpatched legacy systems; the combination of devastating historical impact and ongoing exploitation makes all MS17-010 vulnerabilities among the most important in CISA KEV
  • CISA KEV (2022): Added April 2022 in a pattern of staggered KEV additions for all six MS17-010 CVEs

Remediation

CISA BOD 22-01 Deadline: April 27, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS17-010 — the March 2017 Windows SMB Server update patches all five SMBv1 RCE CVEs (0143, 0144, 0145, 0146, 0148) and the information disclosure CVE (0147) in one patch.

  2. Disable SMBv1 — on all Windows systems:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

  3. Block TCP port 445 at perimeter and between network segments — network-level blocking is the most reliable mitigation and prevents all MS17-010 exploitation regardless of patch status.

  4. Enable Windows Defender Network Protection — blocks SMBv1 traffic to known-malicious endpoints and can be configured to block all SMBv1 traffic.

  5. Monitor for anomalous SMBv1 activity — SMBv1 traffic to/from non-management systems in 2024+ is anomalous; alert on unusual SMBv1 connections as a potential indicator of exploitation or lateral movement.

Key Details

PropertyValue
CVE ID CVE-2017-0148
Vendor / Product Microsoft — SMBv1 server
NVD Published2017-03-17
NVD Last Modified2025-10-22
CVSS 3.1 Score8.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-04-06
CISA KEV Deadline2022-04-27
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-27. Apply updates per vendor instructions.

Timeline

DateEvent
2017-03-14Microsoft releases MS17-010 patching CVE-2017-0148 and all SMBv1 vulnerabilities in the advisory
2017-03-17CVE-2017-0148 published by NVD
2017-04-14Shadow Brokers publish NSA Equation Group tools including MS17-010 exploit suite
2017-05-12WannaCry ransomware global outbreak using MS17-010 family
2017-06-27NotPetya destructive malware outbreak using MS17-010 family
2022-04-06Added to CISA Known Exploited Vulnerabilities catalog
2022-04-27CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0148 Vulnerability Database
CISA KEV Catalog Entry US Government
MS17-010 — Security Update for Windows SMB Server (March 2017) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML