What is the CVSS score of CVE-2017-0144?

CVE-2017-0144 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Which versions of Microsoft SMBv1 are affected by CVE-2017-0144?

CVE-2017-0144 (EternalBlue) is a critical remote code execution vulnerability in Microsoft SMB that enables attackers to deploy ransomware and establish persistent system access on Windows endpoints…. A patch is available.

Is there a public PoC exploit available for CVE-2017-0144?

Yes, a public proof-of-concept exploit is available for CVE-2017-0144. Prioritise patching immediately. EPSS: 94.3%.

How to fix or mitigate CVE-2017-0144?

Within 24 hours: Identify all Windows systems (endpoints and servers) with SMBv1 enabled or unpatched Windows versions (Vista through Server 2016 pre-KB4012212) using vulnerability scanning; disable SMBv1 on all systems where feasible via Group Policy or registry. Within 7 days: Deploy Microsoft Security Bulletin MS17-010 patches to all affected systems-Windows 7 (KB4012212), Windows Server 2008 R2-2016 (KB4012212), Windows Vista-10 (corresponding KBs)-prioritizing internet-facing and OT/medical systems. Within 30 days: Conduct post-patch verification scanning, segment SMB traffic at network boundaries, and enforce network-level access controls restricting port 445 to authorized systems only.

Microsoft SMBv1 CVE-2017-0144

HIGH

2017-03-17 secure@microsoft.com

RCE Microsoft

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 22, 2026 - 14:05 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:15 cisa

CISA KEV

EUVD Exploitation Confirmed

Oct 22, 2025 - 00:15 euvd

EUVD KEV

PoC Detected

Oct 22, 2025 - 00:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 00:15 nvd

Patch available

CVE Published

Mar 17, 2017 - 00:59 nvd

HIGH 8.8

DescriptionNVD

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

AnalysisAI

Remote code execution in Microsoft SMBv1 allows authenticated network attackers to execute arbitrary code on Windows systems via crafted packets. This vulnerability (part of the MS17-010 bulletin and known as 'EternalBlue') is confirmed actively exploited (CISA KEV) with EPSS score of 94.32%, indicating near-certain exploitation probability. Widely weaponized in 2017 WannaCry and NotPetya ransomware campaigns. Affects Windows Vista through Windows 10 1607 and Windows Server 2008-2016, plus Siemens medical imaging systems running vulnerable Windows embedded OS. Multiple public exploits available including DOUBLEPULSAR payload delivery framework.

Technical ContextAI

This vulnerability exploits a buffer overflow in the SMBv1 (Server Message Block version 1) protocol implementation, specifically in the SrvOs2FeaListToNt function. SMBv1 is a legacy network file sharing protocol enabled by default on older Windows systems for interoperability with legacy devices and shares. The flaw allows specially crafted SMB packets to overflow kernel memory, enabling arbitrary code execution in kernel context (SYSTEM privileges). CPE data confirms impact extends beyond Microsoft Windows to include Siemens Acuson ultrasound systems (P300, P500, SC2000, X700 models) running Windows-based embedded firmware versions 5.0a through va10/vb10, as these medical devices rely on vulnerable Windows OS components. The vulnerability was allegedly discovered and stockpiled by the NSA (disclosed in the Shadow Brokers leak) before being patched by Microsoft in MS17-010. While no specific CWE is assigned, the root cause aligns with CWE-787 (Out-of-bounds Write) in network protocol parsing.

RemediationAI

Apply Microsoft Security Bulletin MS17-010 patches immediately via Windows Update or from the Microsoft Security Update Guide at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144 (patches released March 2017 for all supported Windows versions; extended patches later released for unsupported Windows XP/Server 2003 due to WannaCry). For Siemens medical devices, contact Siemens Healthcare support for device-specific patches per ICS-CERT advisory ICSMA-18-058-02, as standard Windows patches may break medical device certifications. If immediate patching is impossible, disable SMBv1 protocol via PowerShell command 'Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol' on Windows 8.1+ or registry modification on older versions (note: disabling SMBv1 breaks compatibility with Windows XP clients, legacy network attached storage, and some multifunction printers). Block TCP ports 445 and 139 at network perimeter and segment internal networks to prevent lateral wormable spread (critical for containing potential ransomware outbreaks, though this does not prevent initial compromise of edge systems). For air-gapped or isolated medical/industrial networks, physically verify patch deployment as these environments often lack centralized patch management visibility.

More from same product – last 7 days

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2026-42901 CRITICAL Monitor

10.0 May 22

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain

CVE-2017-0144 vulnerability details – vuln.today

Back

Microsoft SMBv1 CVE-2017-0144

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code