cbcvebase.
CVE-2017-8620
published 2017-08-08

CVE-2017-8620: Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607…

PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
55.42%
98.9th percentile
Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability when it improperly handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationmicrosoft_windows_search_component
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

port445
registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSearch
registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSearch\Start = dword:00000004
processWSearch
  • Monitor for inbound SMB connections (port 445) delivering specially crafted messages to the Windows Search service (WSearch); unauthenticated remote exploitation is possible over SMB in enterprise environments.
  • Alert on unexpected stops or disabling of the WSearch service (sc stop WSearch / Start registry value set to 4), which may indicate active exploitation or attacker-driven mitigation evasion.
  • Treat CVE-2017-8620 as a wormable vector; lateral movement via SMB between hosts without requiring authentication is the primary propagation mechanism, analogous to EternalBlue/WannaCry.
  • Block or firewall port 445 on internet-facing systems to prevent remote unauthenticated exploitation of this vulnerability.
  • ·The workaround (disabling WSearch via registry Start=4 and sc stop WSearch) breaks Windows Search functionality for all applications relying on it; only apply if patching is not immediately possible.
  • ·At time of patch release, no in-the-wild exploitation was confirmed, but Microsoft rated exploitation as 'More Likely' for both latest and older software releases.
  • ·This is NOT a vulnerability in SMB itself and is unrelated to EternalBlue/WannaCry/Petya SMB flaws; SMB is only the delivery channel for the malformed Windows Search service messages.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.