cbcvebase.
CVE-2017-8464
published 2017-06-15

CVE-2017-8464: Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows…

PriorityP193high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
90.03%
99.8th percentile
Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_shell
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

hash14f8dc79113b6a2d3f378d2046dbc4a9a7c605ce24cfa5ef9f4e8f5406cfd84d
hash3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c
hash4bc1a84ddbbb360e3026e8ec1d0e1eff02a100cf01888e7e2a2ac6a105c71450
hashaa259b168ec448349e91a9d560569bdb6fabd811d78888c6080065a549f60cb0
port445
port139
processmshta.exe
  • CVE-2017-8464 exploitation involves dropping a crafted .LNK file on network or removable drives; monitor for .LNK files appearing on drive roots or network shares, especially when executed via Windows Explorer icon rendering.
  • BlackSquid (Worm.Win32.BLASQUI.A) uses CVE-2017-8464 for lateral propagation via removable and network drives; hunt for the detection name BLASQUI in endpoint telemetry.
  • BlackSquid aborts infection if sandbox-associated usernames, disk drive model strings (e.g., VBOX, vmware, Qemu, Sandbox), or debugger/sandbox processes (e.g., OllyDBG.EXE, Sandboxie.exe, vboxdrv.sys) are detected; use these as canary indicators in deception environments.
  • Monitor SMB traffic on ports 445 and 139 for EternalBlue-DoublePulsar exploit patterns used alongside CVE-2017-8464 for network propagation.
  • ·The BlackSquid hardware breakpoint anti-analysis routine is hard-coded to 0 (disabled) at time of analysis, meaning the breakpoint-based evasion branch was not yet active in the observed sample.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.