CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2017-0144 Explained: EternalBlue, the NSA Exploit Behind WannaCry and NotPetya

The leaked NSA exploit that weaponized a Windows SMBv1 flaw and enabled the two most destructive cyberattacks in history. What it is, how it works, and why unpatched systems are still being compromised today.

Sources:Microsoft Security Bulletin MS17-010|Shadow Brokers|CISA Advisory|NIST NVD
9.8
CVSS Score
$30B+
Combined damage (WannaCry + NotPetya)
150
Countries hit by WannaCry
2017
Patch released March 14

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2017-0144 is a critical remote code execution vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol, specifically SMBv1. The flaw allows an unauthenticated attacker to send specially crafted packets to a vulnerable Windows system on port 445 and achieve full remote code execution with SYSTEM privileges, no credentials, no user interaction, no foothold required.

The vulnerability was discovered and weaponized by the NSA as a zero-day exploit called EternalBlue. In April 2017, the Shadow Brokers publicly released EternalBlue along with a cache of other NSA cyberweapons. Microsoft had released patch MS17-010 in March 2017, one month before the leak. Millions of unpatched systems remained exposed.

One month after the Shadow Brokers release, WannaCry ransomware used EternalBlue to self-propagate across global networks, infecting 300,000+ systems across 150 countries in 72 hours. Weeks later, NotPetya used EternalBlue to devastate global shipping, pharmaceutical, and logistics companies.

How CVE-2017-0144 Works: The EternalBlue Exploit Chain

SMBv1 contains a buffer overflow vulnerability in the way it handles certain transaction requests. A flaw in the parsing of Trans2 OPEN2 requests allows an attacker to send malformed packets that corrupt kernel memory. EternalBlue exploits this by sending a sequence of crafted SMB packets that trigger the buffer overflow, overwrite kernel memory structures, and ultimately achieve execution of arbitrary shellcode in kernel space.

What makes EternalBlue particularly dangerous is its wormable nature: it requires no credentials and no user interaction. Any system with SMBv1 enabled and port 445 reachable is immediately vulnerable. Lateral movement through internal networks is trivial, an attacker or worm compromising one machine can immediately scan and exploit all other vulnerable systems on the same network segment.

1

Network Discovery

Attacker or worm scans for systems with port 445 (SMB) open. EternalBlue requires only network connectivity, no credentials whatsoever.

2

SMBv1 Negotiation

Attacker initiates SMB session negotiation, confirming the target supports SMBv1, which was enabled by default on Windows XP through Server 2008 R2.

3

Malformed Trans2 Packets

Attacker sends a sequence of specially crafted Trans2 OPEN2 requests exploiting the buffer overflow in the SMBv1 transaction handling code.

4

Kernel Memory Corruption

The malformed packets trigger a buffer overflow overwriting kernel pool memory structures, enabling control of the instruction pointer.

5

SYSTEM-Level Code Execution

Shellcode executes in kernel context with SYSTEM privileges. EternalBlue typically installs DoublePulsar, a kernel-level backdoor, which then loads the final payload.

6

Lateral Movement

The compromise is used to scan and attack additional systems on the same network, enabling worm-like self-propagation as demonstrated at scale by WannaCry and NotPetya.

Affected Versions and Real-World Impact

CVE-2017-0144 affects all Windows versions with SMBv1 enabled by default: Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows 10, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, and Windows Server 2016. Windows XP and Server 2003 were also vulnerable and received exceptional out-of-band patches in May 2017.

WannaCry (May 12, 2017): Infected 300,000+ systems in 150 countries within 72 hours. Disrupted the UK National Health Service, causing cancelled surgeries. Attributed to North Korea. Total damages: $4–8 billion.

NotPetya (June 27, 2017): Devastated global networks using EternalBlue combined with credential-harvesting tools. Hit Maersk ($300M damages), Merck ($870M), FedEx TNT ($400M). Attributed to Russian military intelligence. Total damages: $10+ billion, the most destructive cyberattack in history.

NotPetya was a cyberweapon disguised as ransomware. It was designed to destroy, not extort.

US Department of Justice Indictment, February 2020
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

How to Patch and Mitigate CVE-2017-0144

Microsoft released patch MS17-010 on March 14, 2017. Any system that applied this patch before May 2017 was protected against WannaCry. Unpatched systems remain actively exploited to this day by ransomware operators for internal network propagation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2017-0144 and EternalBlue remain among the most actively exploited vulnerabilities on the internet today. Ransomware operators continue using EternalBlue for internal network propagation years after its disclosure. If SMBv1 is still enabled on any system in your environment, that system is compromised-in-waiting. Disable SMBv1, apply MS17-010, and segment your network so SMB is never reachable across trust boundaries.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is EternalBlue (CVE-2017-0144)?

EternalBlue is an NSA-developed exploit for CVE-2017-0144, a buffer overflow in the Windows SMBv1 protocol. It allows unauthenticated remote code execution with SYSTEM privileges via port 445. Leaked by Shadow Brokers in April 2017, it was weaponized by WannaCry and NotPetya ransomware campaigns.

Is EternalBlue still dangerous?

Yes. Ransomware operators continue using EternalBlue for internal network lateral movement years after its 2017 disclosure. Systems with SMBv1 enabled and MS17-010 unpatched remain actively compromised.

How do I protect against EternalBlue?

Apply Microsoft patch MS17-010 immediately. Disable SMBv1 via PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false. Block inbound TCP port 445 at all network perimeters. Segment internal networks so SMB is never reachable across trust boundaries.

What is DoublePulsar and how does it relate to CVE-2017-0144?

DoublePulsar is an NSA-developed kernel-level backdoor payload that EternalBlue installs on compromised systems. After achieving SYSTEM-level code execution via CVE-2017-0144, EternalBlue deploys DoublePulsar as a ring-0 kernel implant that injects malicious DLLs into running processes. WannaCry and NotPetya used DoublePulsar as the persistence mechanism for their final payloads. If forensic investigation finds DoublePulsar on a system, the system was compromised, not just scanned. Detection: public DoublePulsar scanner scripts and major IDS vendors include signatures to identify infected hosts via SMB response inspection.

What was WannaCry ransomware and how did CVE-2017-0144 enable it?

WannaCry was a self-propagating ransomware cryptoworm that infected 300,000+ systems in 150 countries beginning May 12, 2017. It used EternalBlue for unauthenticated network propagation: WannaCry autonomously scanned adjacent IP ranges for port 445, exploited CVE-2017-0144 to install DoublePulsar, then loaded the ransomware payload via DoublePulsar. The worm required no user interaction or phishing, a major escalation of ransomware capability. Attributed to North Korea's Lazarus Group. A kill switch was found by Marcus Hutchins: registering a specific unregistered domain caused WannaCry to stop propagating globally.

How do I verify SMBv1 is fully disabled on my Windows systems?

Run PowerShell on each system: Get-SmbServerConfiguration | Select EnableSMB1Protocol (server role, should return False) and Get-SmbClientConfiguration | Select EnableSMB1Protocol (client role, should return False). Check the registry: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 should be 0 or absent. For domain-wide validation, use Invoke-Command with the above checks against all domain-joined machines. Note: SMBv1 must be disabled on both servers and clients, a server with SMBv1 disabled can still participate in SMBv1 connections initiated by clients.

Sources & references

  1. Microsoft Security Bulletin MS17-010
  2. Shadow Brokers
  3. CISA Advisory
  4. NIST NVD

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.