⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-14.

CVE-2017-0147 — Sensitive Information Exposure in Corporation Windows SMB

CWE-200 — Sensitive Information Exposure31 documents17 sources

Severity

7.5HIGHNVD

EPSS

92.4%

top 0.27%

CISA KEV

KEVRansomware

Added 2022-05-24

Due 2022-06-14

Exploit

Exploited in wild

Active exploitation observed

Affected products

Siemens Acuson Sc2000 Firmware Siemens Syngo Sc2000 Firmware Microsoft Corporation Windows SMB +18 more

Timeline

PublishedMar 17

KEV addedMay 24

KEV dueJun 14

Latest updateApr 28

CISA Required Action: Apply updates per vendor instructions.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages20 packages

▶msrcmsrc/windows_server_2008

▶msrcmsrc/windows_server_2012

▶msrcmsrc/windows_server_2016

▶msrcmsrc/windows_server_2008_r2

▶msrcmsrc/windows_server_2012_r2

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-xh7q-7r6g-64g2: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8↗2022-05-14

▶

VulnCheck

Microsoft Windows SMBv1 Information Disclosure Vulnerability↗2017

▶

💥Exploits & PoCs

Exploit-DB

DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)↗2019-10-02

▶

Exploit-DB

Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)↗2018-02-05

▶

Exploit-DB

Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)↗2017-05-10

▶

Exploit-DB

Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)↗2017-04-17

▶

Metasploit

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption↗

▶

📋Vendor Advisories

CISA

Microsoft Windows SMBv1 Information Disclosure Vulnerability↗2022-05-24

▶

Microsoft

Windows SMB Information Disclosure Vulnerability↗2017-03-14

▶

🕵️Threat Intelligence

Fortinet

Key Takeaways from the 2025 Global Threat Landscape Report | FortiGuard Labs↗2025-04-28

▶

Qualys

Emotet Re-emerges with Help from TrickBot↗2022-01-06

▶

Talos

Necro Python bot adds new exploits and Tezos mining to its bag of tricks↗2021-06-03

▶

Unit42

Network Attack Trends: Internet of Threats (November 2020-January 2021)↗2021-04-12

▶

Unit42

Network Attack Trends: Internet of Threats (November 2020-January 2021)↗2021-04-12

▶

📐Framework References

OWASP

Vulnerability Naming Schemes↗

▶

📄Research Papers

arXiv

AVScan2Vec: Feature Learning on Antivirus Scan Data for Production-Scale Malware Corpora↗2023-06-09

▶

arXiv

Evaluating the Performance of Twitter-based Exploit Detectors↗2020-11-05

▶

CTF

17. Using the Metasploit-Framework / Using the Metasploit-Framework↗

▶