← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2017-0144 · Disclosed 2017-03-17

The SMBv1 server in Microsoft Windows Vista SP2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a lit match thrown into a file-sharing hallway soaked with gasoline

CVE-2017-0144 is the *EternalBlue* SMBv1 server bug in Windows that lets a remote attacker send crafted SMB packets and execute code as SYSTEM. Affected platforms are the March 2017-era Windows families Microsoft listed in MS17-010: Vista SP2, Server 2008 SP2, Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Server 2012/2012 R2, Windows RT 8.1, Windows 10 1507/1511/1607, and Server 2016, *when SMBv1 server code is present and reachable*.

The vendor baseline you supplied — HIGH 8.8 with PR:L — undersells the operational reality. Microsoft's March 14, 2017 bulletin explicitly described exploitation as possible by an *unauthenticated attacker in most situations*, and the exploit became the backbone of WannaCry and NotPetya; for enterprise defenders this is a wormable, pre-auth, network RCE with proven ransomware utility, so it belongs in CRITICAL whenever SMBv1 is still exposed anywhere that matters.

"If SMBv1 is still reachable, this is still a one-packet worm problem, not a routine Windows patch."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find reachable SMBv1 with nmap or masscan

The attacker identifies hosts answering on TCP/445, then checks whether the target negotiates SMBv1. This is cheap reconnaissance and works both externally on badly exposed hosts and internally after any foothold. The weaponized reality is that finding candidates is faster than exploiting them.
Conditions required:
  • Target host listens on TCP/445
  • Network path to the host exists
  • SMBv1 is enabled or at least reachable enough to probe
Where this breaks in practice:
  • Most mature enterprises block inbound 445 at the perimeter
  • Some environments have already removed SMBv1 entirely
  • Network segmentation can sharply reduce reachable population
Detection/coverage: Excellent scanner coverage. nmap --script smb-vuln-ms17-010 and Metasploit auxiliary/scanner/smb/smb_ms17_010 both detect this well.
STEP 02

Confirm MS17-010 exposure with smb-vuln-ms17-010 or Metasploit scanner

The attacker or operator validates that the SMB stack returns the telltale behavior associated with missing MS17-010 fixes. This is a low-noise preflight step that avoids wasting exploit attempts on patched systems. In practice, defenders can run the same tests at scale.
Conditions required:
  • SMB session establishment is possible
  • Target is missing the relevant MS17-010 fix or equivalent backport
  • SMBv1 server logic is still enabled
Where this breaks in practice:
  • Accurate detection collapses the vulnerable population quickly once patching is mature
  • Hosts with SMBv1 disabled are effectively out of scope even if legacy KB state is messy
Detection/coverage: Strong. Nmap marks the script safe; many commercial vuln scanners flag this reliably.
STEP 03

Launch EternalBlue pre-auth kernel exploit

The attacker uses the leaked Equation Group exploit, commonly via Metasploit exploit/windows/smb/ms17_010_eternalblue, to corrupt the SMBv1 server's kernel pool and gain code execution as SYSTEM. No valid credentials are normally required. This is the decisive step that makes the bug different from a merely annoying Windows issue.
Conditions required:
  • Confirmed vulnerable SMBv1 target
  • Compatible target behavior and timing
  • Network access to TCP/445
Where this breaks in practice:
  • Exploit reliability is not perfect on every build and may cause crashes or BSODs
  • Some EDR/NDR products now detect classic EternalBlue tradecraft
  • Modern Windows fleets have mostly aged out of the vulnerable versions
Detection/coverage: Good behavioral detection in modern EDR/NDR, but prevention only matters if the target is still reachable and unpatched.
STEP 04

Turn one host into a lateral-movement launcher

Once code execution lands, the attacker can deploy ransomware, a loader, or a post-exploitation implant and then repeat the same attack east-west across flat network segments. This is why the blast radius is the real story: a single forgotten legacy server can become a worm hub. Historic campaigns proved the propagation model at global scale.
Conditions required:
  • Successful code execution on at least one Windows host
  • Additional internal hosts expose TCP/445
  • Segmentation does not block east-west SMB traffic
Where this breaks in practice:
  • Flat networks are less common than in 2017, though still not rare in legacy estates
  • Internal firewalls and segmentation materially slow spread
  • EDR containment can stop follow-on execution after first detonation
Detection/coverage: Mixed. Initial exploitation can be subtle, but follow-on SMB scanning, service creation, and ransomware execution are usually visible in EDR, NDR, and Windows event telemetry.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusConfirmed exploited. CISA KEV lists CVE-2017-0144 and notes known ransomware campaign use.
KEV datesAdded to KEV on 2022-02-10 with a due date of 2022-08-10.
Proof-of-concept / weaponizationPublic weaponization is mature: Rapid7 ships exploit/windows/smb/ms17_010_eternalblue, plus detection module auxiliary/scanner/smb/smb_ms17_010; NVD also references Exploit-DB IDs 41891, 41987, 42030, and 42031.
EPSS0.94318 from the prompt, which is extremely high and consistent with a bug that has had years of observed abuse.
CVSS reality checkCurrent NVD v3.1 shows AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8), but Microsoft's MS17-010 says exploitation is possible by an unauthenticated attacker in most situations. For defenders, the pre-auth reality matters more than the database drift.
Affected versionsWindows Vista SP2; Server 2008 SP2 and 2008 R2 SP1; Windows 7 SP1; Windows 8.1; Server 2012 and 2012 R2; Windows RT 8.1; Windows 10 1507/1511/1607; Server 2016.
Fixed versions / KBsFixed by MS17-010 via KB family including 4012598, 4012212/4012215, 4012213/4012216, 4012214/4012217, 4012606, 4013198, and 4013429, depending on OS branch and servicing model.
Scanner coverageHigh-confidence detection exists via the Nmap script smb-vuln-ms17-010 and Metasploit's MS17-010 SMB RCE Detection module.
Exposure populationInternet exposure is far lower than in 2017 in well-run enterprises because perimeter 445 is usually blocked, but *internal* exposure remains the real risk. One legacy SMBv1 host inside a flat network is enough to turn this back into a worm problem.
Disclosure / public timelineMicrosoft published MS17-010 on 2017-03-14; the CVE record was published 2017-03-17; widespread WannaCry abuse began 2017-05-12.
04 · The Call

noisgate verdict.

Final Verdict
UPGRADED to CRITICAL (9.8/10)

The single biggest amplifier is that this is a wormable, pre-auth network RCE with proven ransomware history. Even though the reachable population is narrower today because many shops block 445 and removed SMBv1, any remaining exposed host creates outsized blast radius across a large Windows estate.

HIGH Exploitability and impact on an actually vulnerable SMBv1 host
MEDIUM How many hosts in a given enterprise are still truly reachable and running SMBv1

Why this verdict

  • Upgraded from vendor 8.8 because the PR:L baseline is misleading: Microsoft stated on March 14, 2017 that in most situations exploitation is possible by an *unauthenticated attacker*, which is a full step worse in practice.
  • KEV plus ransomware history adds hard upward pressure: CISA KEV, WannaCry, and NotPetya mean this is not theoretical exploitability but a repeatedly weaponized propagation path.
  • Blast radius is the reason this stays CRITICAL: external exposure may be reduced, but internal east-west SMB is still common enough that one missed box can become a network-wide spreader in a 10,000-host environment.

Why not higher?

There is no higher bucket than CRITICAL, but this is not a perfect 10.0 because modern enterprises usually block inbound 445, many have already disabled SMBv1, and exploit reliability is not flawless on every target. Those frictions reduce the *reachable population*, not the seriousness of a hit on a reachable host.

Why not lower?

Scoring this as HIGH would overweight perimeter improvements and underweight wormability. The combination of pre-auth network reach, SYSTEM execution, mature public tooling, and long-standing real-world ransomware use keeps this above ordinary remote Windows bugs.

05 · Compensating Control

What to do — in priority order.

  1. Disable SMBv1 everywhere — Remove the vulnerable protocol rather than trying to trust network position. This is the most effective compensating control because the exploit path dies when SMBv1 server support is gone; for a CRITICAL issue with exploitation evidence, deploy within hours.
  2. Block TCP/445 at boundaries and between segments — Enforce deny rules at the internet edge and on east-west paths that do not explicitly require SMB. This reduces worm spread and buys time for patching; because this CVE is KEV-listed, apply the block within hours where business impact allows.
  3. Quarantine or isolate legacy Windows systems — Unsupported or hard-to-patch hosts should be moved into tightly controlled VLANs or firewall groups with only named SMB peers allowed. Do this within hours for any host that still exposes SMBv1 and cannot be patched immediately.
  4. Hunt for MS17-010 detections and SMBv1 inventory gaps — Use vuln scanners, nmap safe checks, and configuration inventory to find every remaining vulnerable node. The goal is fast scoping before the patch rollout; complete the first sweep within hours.
What doesn't work
  • MFA does nothing here because the exploit path is normally pre-auth over SMB.
  • SMB signing does not fix the vulnerable SMBv1 request handling bug.
  • Perimeter-only blocking is not enough if internal hosts can still reach each other over 445.
  • Antivirus alone is not sufficient because stopping the payload after kernel-level code execution is already a bad place to be.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host in an elevated PowerShell session: powershell -ExecutionPolicy Bypass -File .\Test-MS17-010.ps1. Local admin is recommended because the script reads OS, installed hotfixes, and SMB server configuration; it outputs exactly VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-MS17-010.ps1

# Checks whether a Windows host appears vulnerable to MS17-010 / CVE-2017-0144.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Exit-Result {
    param(
        [string]$Status,
        [int]$Code
    )
    Write-Output $Status
    exit $Code
}

function Get-HotFixIds {
    try {
        return @(Get-HotFix | Select-Object -ExpandProperty HotFixID)
    } catch {
        return @()
    }
}

function Test-SMBv1Disabled {
    # If SMBv1 server is disabled, the host is not exploitable via EternalBlue.

    try {
        $cfg = Get-SmbServerConfiguration
        if ($null -ne $cfg.EnableSMB1Protocol -and $cfg.EnableSMB1Protocol -eq $false) {
            return $true
        }
    } catch {}

    try {
        $val = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name SMB1
        if ($val.SMB1 -eq 0) { return $true }
    } catch {}

    return $false
}

# Short-circuit: if SMBv1 is disabled, treat as PATCHED/non-exploitable.

if (Test-SMBv1Disabled) {
    Exit-Result 'PATCHED' 0
}

$os = Get-CimInstance Win32_OperatingSystem
if (-not $os) {
    Exit-Result 'UNKNOWN' 2
}

$caption = [string]$os.Caption
$version = [string]$os.Version
$build = [int]$os.BuildNumber
$spMajor = 0
try { $spMajor = [int]$os.ServicePackMajorVersion } catch {}

$hotfixes = Get-HotFixIds
if (-not $hotfixes) {
    # Continue anyway; some systems restrict WMI hotfix enumeration.

    $hotfixes = @()
}

# KBs from MS17-010 for supported branches in the 2017 bulletin.

$kbMap = @{
    'VistaSP2_Server2008SP2' = @('KB4012598')
    'Win7SP1_Server2008R2SP1' = @('KB4012212','KB4012215')
    'Win81_Server2012R2' = @('KB4012213','KB4012216')
    'Server2012' = @('KB4012214','KB4012217')
    'Win10_1507' = @('KB4012606')
    'Win10_1511' = @('KB4013198')
    'Win10_1607_Server2016' = @('KB4013429')
}

function Has-AnyKb {
    param([string[]]$Needles, [string[]]$Installed)
    foreach ($kb in $Needles) {
        if ($Installed -contains $kb) { return $true }
    }
    return $false
}

# Determine whether this is one of the affected OS families.

$family = $null

if ($caption -match 'Windows Vista' -and $spMajor -ge 2) {
    $family = 'VistaSP2_Server2008SP2'
} elseif ($caption -match 'Windows Server 2008' -and $caption -notmatch 'R2' -and $spMajor -ge 2) {
    $family = 'VistaSP2_Server2008SP2'
} elseif (($caption -match 'Windows 7' -or $caption -match 'Windows Server 2008 R2') -and $spMajor -ge 1) {
    $family = 'Win7SP1_Server2008R2SP1'
} elseif ($caption -match 'Windows 8.1' -or $caption -match 'Windows Server 2012 R2') {
    $family = 'Win81_Server2012R2'
} elseif ($caption -match 'Windows Server 2012' -and $caption -notmatch 'R2') {
    $family = 'Server2012'
} elseif ($caption -match 'Windows 10') {
    switch ($build) {
        10240 { $family = 'Win10_1507' }
        10586 { $family = 'Win10_1511' }
        14393 { $family = 'Win10_1607_Server2016' }
        default {
            # Other Windows 10 builds are outside the CVE's listed vulnerable client range.

            Exit-Result 'PATCHED' 0
        }
    }
} elseif ($caption -match 'Windows Server 2016') {
    if ($build -eq 14393) {
        $family = 'Win10_1607_Server2016'
    } else {
        Exit-Result 'PATCHED' 0
    }
} else {
    # Not an affected family from the advisory.

    Exit-Result 'PATCHED' 0
}

if (-not $family) {
    Exit-Result 'UNKNOWN' 2
}

$neededKbs = $kbMap[$family]
if (-not $neededKbs) {
    Exit-Result 'UNKNOWN' 2
}

if (Has-AnyKb -Needles $neededKbs -Installed $hotfixes) {
    Exit-Result 'PATCHED' 0
}

# If the host is in an affected family, SMBv1 is not disabled, and we cannot find the MS17-010 KB,

# classify as vulnerable.

Exit-Result 'VULNERABLE' 1
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a hunt for *every remaining SMBv1 host*, not as a normal aging Windows CVE. Because CVE-2017-0144 is KEV-listed and has extensive real-world exploitation history, override the standard bucket timing and patch / mitigate immediately, within hours under the noisgate mitigation SLA; that means disable SMBv1, block unnecessary 445 paths, and isolate any legacy box you cannot touch today. Then finish the vendor patch rollout and retire or quarantine unsupported stragglers within the noisgate remediation SLA of ≤90 days.

Sources

  1. Microsoft Security Bulletin MS17-010
  2. NVD CVE-2017-0144
  3. CISA KEV catalog search result for CVE-2017-0144
  4. CISA Adds 15 Known Exploited Vulnerabilities to Catalog
  5. FIRST EPSS data/stats
  6. Nmap smb-vuln-ms17-010 NSE documentation
  7. Rapid7 Metasploit EternalBlue module
  8. Microsoft customer guidance for WannaCrypt attacks
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.