CVE-2017-8620
published 2017-08-08CVE-2017-8620: Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607…
PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
55.42%
98.9th percentile
Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability when it improperly handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | microsoft_windows_search_component | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound SMB connections (port 445) delivering specially crafted messages to the Windows Search service (WSearch); unauthenticated remote exploitation is possible over SMB in enterprise environments. ↗
- →Alert on unexpected stops or disabling of the WSearch service (sc stop WSearch / Start registry value set to 4), which may indicate active exploitation or attacker-driven mitigation evasion. ↗
- →Treat CVE-2017-8620 as a wormable vector; lateral movement via SMB between hosts without requiring authentication is the primary propagation mechanism, analogous to EternalBlue/WannaCry. ↗
- →Block or firewall port 445 on internet-facing systems to prevent remote unauthenticated exploitation of this vulnerability. ↗
- ·The workaround (disabling WSearch via registry Start=4 and sc stop WSearch) breaks Windows Search functionality for all applications relying on it; only apply if patching is not immediately possible. ↗
- ·At time of patch release, no in-the-wild exploitation was confirmed, but Microsoft rated exploitation as 'More Likely' for both latest and older software releases. ↗
- ·This is NOT a vulnerability in SMB itself and is unrelated to EternalBlue/WannaCry/Petya SMB flaws; SMB is only the delivery channel for the malformed Windows Search service messages. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rghm-5fqg-3p9g: Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2017-8620 [HIGH] CWE-119 GHSA-rghm-5fqg-3p9g: Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability when it improperly handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
Microsoft
Windows Search Remote Code Execution Vulnerability
vendor_msrc·2017-08-08·CVSS 8.1
CVE-2017-8620 [HIGH] Windows Search Remote Code Execution Vulnerability
Windows Search Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target com
No detection rules found.
Checkpoint
2017-8-14 Global Cyber Attack Reports
blogs_checkpoint·2017-08-14
CVE-2017-8620 2017-8-14 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-8-14 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
Reports claim that a nation-state actor has breached EirGrid, Ireland’s electricity transmission company, and gained complete access to the company’s network. It is not yet clear what the attacker’s goal was in this breach, which could have been utilized to cause blackouts across Ireland.
The Russian hacker group APT28 (Fancy Bear), famous for breaching and leaking the contents of the DNC in the 2016 American elections, is likely behind breaches int
Checkpoint
“The Next WannaCry” Vulnerability is Here
blogs_checkpoint·2017-08-11·CVSS 8.1
CVE-2017-8620 [HIGH] “The Next WannaCry” Vulnerability is Here
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## “The Next WannaCry” Vulnerability is Here
This Tuesday, Microsoft released a security patch including 48 fixes, 25 of which are defined as “critical”. While Microsoft updates happen every
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
- CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-866
Qualys
August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe | Qualys
blogs_qualys·2017-08-08·CVSS 7.5
CVE-2017-8620 [HIGH] August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe | Qualys
Today Microsoft released patches covering 48 vulnerabilities as part of August’s Patch Tuesday update, with 15 of them affecting Windows. Patches covering 25 of these vulnerabilities are labeled as Critical, and 27 can result in Remote Code Execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8620, which is a vulnerability in the Windows Search service. This is the third Patch Tuesday to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerabili
Qualys
August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe
blogs_qualys·2017-08-08·CVSS 7.5
CVE-2017-8620 [HIGH] August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe
Today Microsoft released patches covering 48 vulnerabilities as part of August’s Patch Tuesday update, with 15 of them affecting Windows. Patches covering 25 of these vulnerabilities are labeled as Critical, and 27 can result in Remote Code Execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8620 , which is a vulnerability in the Windows Search service. This is the third Patch Tuesday to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerabil
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
## Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
CVE-2017-8669 - Microsoft Browser Memory
http://www.securityfocus.com/bid/100034http://www.securitytracker.com/id/1039091https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620https://threatpost.com/windows-search-bug-worth-watching-and-squashing/127434/http://www.securityfocus.com/bid/100034http://www.securitytracker.com/id/1039091https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620https://threatpost.com/windows-search-bug-worth-watching-and-squashing/127434/
2017-08-08
Published