cbcvebase.
CVE-2016-3345
published 2016-09-14

CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
32.46%
98.1th percentile
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability."

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is specific to SMBv1 server; target SMBv1 traffic (TCP port 445 / 139) from authenticated sessions sending specially crafted packets
  • Only SMBv1 is impacted; detection should focus exclusively on SMBv1 protocol traffic, not SMBv2 or later
  • Exploitation requires prior authentication and file-open permissions on the target SMBv1 server; alert on authenticated SMBv1 sessions followed by anomalous or malformed request patterns
  • On Vista/Server 2008/Windows 7/Server 2008 R2 the impact is RCE; on later OS versions the symptom is the system stopping to respond until manually restarted — unexpected SMB-related system hangs/reboots on patched-but-SMBv1-enabled hosts are a post-exploitation indicator
  • ·Exploitation is limited to SMBv1; environments that have already disabled SMBv1 are not affected by this CVE
  • ·Affected OS scope is Windows Vista SP2, Server 2008 SP2/R2 SP1, Windows 7 SP1, Windows 8.1, Server 2012 Gold/R2, RT 8.1, and Windows 10 Gold/1511/1607 — detections should be scoped to these platforms

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.