⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-08-10.

CVE-2017-0144EternalBlue: Improper Input Validation in Microsoft Windows SMB

CWE-20Improper Input Validation130 documents23 sources
Severity
8.8HIGHNVD
NVD8.1
EPSS
94.4%
top 0.02%
CISA KEV
KEVRansomware
Added 2022-02-10
Due 2022-08-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
21
Siemens Acuson Sc2000 FirmwareSiemens Syngo Sc2000 FirmwareMicrosoft Corporation Windows SMB+18 more
Timeline
PublishedMar 17
KEV addedFeb 10
KEV dueAug 10
Latest updateFeb 2
CISA Required Action: Apply updates per vendor instructions.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages21 packages

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

6
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14

💥Exploits & PoCs

9
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)2019-10-02
Exploit-DB
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)2017-07-11
Exploit-DB
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)2017-05-17
Exploit-DB
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)2017-05-17
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)2017-05-10

🔍Detection Rules

7
Suricata
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 32017-05-16
Suricata
ET MALWARE Possible WannaCry DNS Lookup 52017-05-16
Suricata
ET MALWARE Possible WannaCry DNS Lookup 42017-05-16
Suricata
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 12017-05-16
Suricata
ET MALWARE Possible WannaCry DNS Lookup 32017-05-15

📋Vendor Advisories

2
CISA
Microsoft SMBv1 Remote Code Execution Vulnerability2022-02-10
Microsoft
Windows SMB Remote Code Execution Vulnerability2017-03-14

🕵️Threat Intelligence

75
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense2025-08-25
Securelist
PipeMagic in 2025: How the backdoor operators’ tactics have changed2025-08-18
Securelist
Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-298242025-08-18
Sentinelone
RansomHub2025-01-08
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 252024-10-22

📄Research Papers

25
arXiv
MalCVE: Malware Detection and CVE Association Using Large Language Models2026-02-02
arXiv
SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs2025-12-27
arXiv
Automated Side-Channel Analysis of Cryptographic Protocol Implementations2025-11-17
arXiv
PentestMCP: A Toolkit for Agentic Penetration Testing2025-10-04
arXiv
An Automated Attack Investigation Approach Leveraging Threat-Knowledge-Augmented Large Language Models2025-09-01
CVE-2017-0144 — EternalBlue: Improper Input Validation | cvebase