EternalBlue, tracked formally as CVE-2017-0144, is a remote code execution vulnerability in Microsoft's SMBv1 (Server Message Block version 1) protocol implementation that became one of the most consequential exploits in modern cybersecurity history. A crafted packet sent to a vulnerable SMBv1 server can trigger a buffer overflow in the kernel-mode driver srv.sys, allowing an unauthenticated remote attacker to execute arbitrary code with SYSTEM-level privileges — no user interaction required. Weaponized first by the NSA's Equation Group and later leaked publicly, EternalBlue went on to power WannaCry and NotPetya, two of the most destructive malware outbreaks ever recorded, causing an estimated tens of billions of dollars in global damage. Nearly a decade later, unpatched and unmanaged SMBv1 endpoints are still being found — and still being exploited — inside enterprise networks.
What Is CVE-2017-0144?
CVE-2017-0144 sits within a cluster of SMBv1 vulnerabilities disclosed and patched together by Microsoft in March 2017 (alongside CVE-2017-0143, -0145, -0146, -0147, and -0148). The flaw lives in how the SMBv1 server mishandles specially crafted "Transaction2" (FEA, or File Extended Attribute) requests. By manipulating the size fields in these requests, an attacker can corrupt memory in a way that overwrites adjacent heap structures, ultimately hijacking control flow to execute attacker-supplied shellcode in kernel context.
Because SMB (TCP port 445, sometimes 139) is used for file sharing, printer sharing, and inter-process communication across nearly every Windows network, and because the vulnerability requires no authentication and no user interaction, EternalBlue is close to a worst-case RCE: pre-auth, network-reachable, wormable, and capable of full system compromise. It was this "wormability" — the ability to self-propagate from host to host without any user clicking anything — that made WannaCry and NotPetya spread across entire organizations in minutes.
Affected Versions and Components
MS17-010 patched SMBv1 across a broad swath of the Windows install base. Vulnerable and patched systems include:
- Windows Vista and Windows Server 2008 (all editions)
- Windows 7 and Windows Server 2008 R2
- Windows 8.1 and Windows Server 2012 / 2012 R2
- Windows 10 (early builds, pre-1703) and Windows Server 2016
- Windows Server, Core installations with the SMBv1 server feature enabled
Notably, Windows XP and Windows Server 2003 were, at the time, out of support and did not initially receive a patch. Given the scale of WannaCry's impact in May 2017, Microsoft took the unusual step of issuing emergency out-of-band patches for these unsupported operating systems.
The common thread across all affected systems is a single legacy component: the SMBv1 protocol stack, specifically the srv.sys driver handling SMBv1 transaction requests. Any device — server, workstation, embedded appliance, NAS, or legacy OT/ICS system — running SMBv1 without the March 2017 patches (or without SMBv1 disabled outright) remains exposed to this exact exploitation path today.
CVSS, EPSS, and KEV Context
- CVSS: NVD scores CVE-2017-0144 at a CVSS v2 base score of 9.3 and a CVSS v3 base score of 8.1 (Network attack vector, High attack complexity, No privileges required, No user interaction, High confidentiality/integrity/availability impact). The "high complexity" rating undersells real-world risk — publicly available, point-and-click exploit tooling (via the Metasploit and Shadow Brokers releases) reduced practical exploitation difficulty to near zero.
- EPSS: Given nearly a decade of confirmed, widespread, automated exploitation — from WannaCry and NotPetya to years of follow-on cryptomining and botnet campaigns — CVE-2017-0144 consistently scores in the highest EPSS percentile band (typically cited near the 97th+ percentile), reflecting a near-certainty of continued opportunistic scanning and exploitation against any exposed instance.
- CISA KEV: CVE-2017-0144 is listed on CISA's Known Exploited Vulnerabilities catalog, and SMBv1 exposure is repeatedly flagged in CISA advisories as a top initial-access vector for ransomware affiliates. Any organization subject to CISA Binding Operational Directive remediation timelines should treat internet-facing or even internally-reachable SMBv1 as a mandatory, time-boxed finding.
Taken together, this is a vulnerability where the "base score" undersells urgency: age, wormability, weaponization, and sustained real-world exploitation push actual risk well above what an 8.1 might imply in isolation.
Timeline
- Pre-2017: SMBv1 flaws, including what would become EternalBlue, are developed and used operationally by the NSA's Equation Group, reportedly for years prior to public disclosure.
- August 2016: The Shadow Brokers, a still-unidentified group, begin teasing and auctioning stolen NSA exploit tooling.
- March 14, 2017: Microsoft releases MS17-010, patching CVE-2017-0143 through -0148, reportedly after a private tip that allowed vendors a head start before public leak.
- April 14, 2017: The Shadow Brokers publicly release the EternalBlue exploit (and companion tools DoublePulsar, EternalRomance, EternalChampion) as part of the "Lost in Translation" dump.
- May 12, 2017: WannaCry ransomware erupts globally, using EternalBlue for lateral movement and DoublePulsar for payload delivery, infecting an estimated 200,000+ systems across 150+ countries within days, disrupting the UK's NHS, Spain's Telefónica, and FedEx, among many others.
- May 13–19, 2017: Microsoft issues emergency patches for unsupported Windows XP and Server 2003.
- June 27, 2017: NotPetya, disguised as ransomware but functioning as a destructive wiper, uses EternalBlue plus credential theft to devastate organizations including Maersk, Merck, and FedEx subsidiary TNT Express, with damages estimated above $10 billion.
- 2018–present: EternalBlue continues to be observed in cryptomining botnets (e.g., variants of Retefe, Emotet infrastructure reuse) and in periodic ransomware intrusions where legacy SMBv1 remains enabled, confirming that "patched years ago" has not translated to "eradicated in practice."
Remediation Steps
- Apply MS17-010 immediately on any system that has not already received it. This remains the authoritative fix for CVE-2017-0144 and its sibling CVEs.
- Disable SMBv1 entirely, independent of patch status. On Windows Server, remove the "SMB 1.0/CIFS File Sharing Support" feature; on clients, disable via PowerShell (
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol) or Group Policy. SMBv1 is disabled by default on modern Windows builds, but many legacy upgrades and imaged deployments carry it forward unintentionally. - Block SMB at the network boundary. Ensure TCP 445 and 139 are not exposed to the internet, and use segmentation/firewall rules to restrict SMB traffic to only the internal hosts and subnets that legitimately require it.
- Inventory legacy and unsupported systems (embedded devices, OT/ICS equipment, old NAS appliances, unsupported OS versions) that may still require SMBv1 for compatibility. Isolate these into dedicated network segments with strict access control rather than leaving them broadly reachable.
- Deploy detection for SMB exploitation patterns, including IDS/IPS signatures for EternalBlue/DoublePulsar traffic, and monitor for anomalous lateral SMB connections, unusual named pipe activity, or unexpected SYSTEM-level process spawns from
services.exe/lsass.execorrelated with SMB sessions. - Validate via authenticated vulnerability scanning and EDR telemetry, not just patch-management dashboards — patch status alone can miss instances where SMBv1 was re-enabled for a legacy application dependency after the fact.
How Safeguard Helps
Nine years on, CVE-2017-0144 persists in enterprise environments precisely because legacy protocol exposure is easy to lose track of across sprawling infrastructure, shadow IT, and inherited acquisitions — which is exactly the blind spot Safeguard is built to close. Safeguard ingests and generates SBOMs across your infrastructure and software estate so that legacy components like SMBv1-enabled hosts, outdated OS images, and unpatched services are continuously inventoried rather than rediscovered during an incident. Our reachability analysis engine goes beyond "is SMBv1 installed" to determine whether the vulnerable service is actually network-reachable from untrusted zones or the internet, so your team can prioritize the handful of genuinely exploitable instances instead of chasing every match in a scan report. Griffin AI, Safeguard's contextual triage assistant, correlates CVSS, EPSS, and CISA KEV signals like the ones covered above with your specific environment to tell you which EternalBlue-class findings represent real, active risk right now. And where remediation is code- or config-driven — disabling SMBv1 in infrastructure-as-code, tightening firewall rules, or updating hardening baselines — Safeguard's auto-fix PRs turn that guidance into a reviewable pull request instead of a ticket that sits in a backlog for another nine years.