cbcvebase.
CVE-2017-8543
published 2017-06-15

CVE-2017-8543: Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
73.76%
99.4th percentile
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationmicrosoft_windows
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSearch
registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSearch\Start = dword:00000004
  • The vulnerability is triggered by specially crafted messages sent to the Windows Search service (WSearch); monitor for anomalous or malformed inbound traffic targeting the Windows Search service.
  • In enterprise/network scenarios, exploitation is delivered over an SMB connection to the Windows Search service; monitor for unexpected SMB connections that interact with WSearch, particularly from unauthenticated or external sources.
  • CVE-2017-8543 is confirmed exploited in the wild; treat any unpatched Windows Search service exposure as actively targeted.
  • Monitor for post-exploitation activity: program installation, data access/modification/deletion, and new account creation with full user rights following WSearch service anomalies.
  • ·Microsoft issued patches for out-of-support platforms (Windows XP, Server 2003) due to active exploitation; these patches are available but do not represent a change in standard servicing policy.
  • ·Disabling the WSearch service (setting registry Start value to 4 and running 'sc stop WSearch') is the documented workaround, but it will make Windows Search functionality unavailable to all applications relying on it.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.