What This Is
EternalBlue is a critical vulnerability in the Windows SMBv1 protocol that allows an unauthenticated remote attacker to execute arbitrary code on any vulnerable machine over the network. No credentials required. No user interaction required. A single crafted packet sent to port 445 is sufficient to gain full code execution as SYSTEM.
Originally developed by the NSA as an offensive tool, EternalBlue was stolen and leaked by the Shadow Brokers in April 2017. Microsoft patched it in MS17-010 the same month. It was weaponized by WannaCry ransomware in May 2017 and NotPetya in June 2017 — causing an estimated $4–8 billion in global damages. It remains in active use today against unpatched and misconfigured systems.
This vulnerability requires zero authentication. Any machine with SMBv1 enabled and port 445 reachable is fully exploitable from anywhere on the same network segment — and potentially from the internet if not firewalled.
CVE Details
CVE: CVE-2017-0144
CVSS v3: 8.8 HIGH
CWE: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
CISA KEV: Yes — confirmed exploited in the wild
Patch: MS17-010 (April 2017)
Affected: Windows XP, Vista, 7, 8, 10, Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016
CVSS v3: 8.8 HIGH
CWE: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
CISA KEV: Yes — confirmed exploited in the wild
Patch: MS17-010 (April 2017)
Affected: Windows XP, Vista, 7, 8, 10, Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016
How It Works
SMBv1 contains a buffer overflow vulnerability in the way it handles transaction requests. An attacker sends a malformed SMB_COM_TRANSACTION2 request to port 445. The Windows SMB server fails to properly validate the secondary transaction sub-command, triggering a buffer overflow in the Windows kernel. This gives the attacker arbitrary kernel-mode code execution — the highest privilege level on Windows.
From there, the attacker typically drops a payload via the DOUBLEPULSAR kernel backdoor implant, also part of the NSA toolkit. WannaCry and NotPetya both used EternalBlue + DOUBLEPULSAR as their propagation mechanism to spread automatically across networks.
Why It Still Matters in 2026
Nine years after disclosure, EternalBlue remains one of the most commonly exploited vulnerabilities in enterprise and SMB environments. Reasons it persists:
— Legacy systems that cannot be patched (XP, Server 2003)
— SMBv1 re-enabled by compatibility software or administrators
— New machines provisioned without disabling SMBv1 explicitly
— Virtual machines cloned from old images
— Network shares and print servers that require SMBv1
— No active network monitoring to detect exploitation attempts
— SMBv1 re-enabled by compatibility software or administrators
— New machines provisioned without disabling SMBv1 explicitly
— Virtual machines cloned from old images
— Network shares and print servers that require SMBv1
— No active network monitoring to detect exploitation attempts
Detection
Check if SMBv1 is enabled (PowerShell — run as administrator):
Get-SmbServerConfiguration | Select EnableSMB1Protocol
Expected safe result:
EnableSMB1Protocol : False
If the result is True — the system is vulnerable. Apply mitigation immediately.
Check for DOUBLEPULSAR implant (network scan — Nmap):
nmap -p445 --script smb-vuln-ms17-010 <target>
Check Windows Event Log for exploitation attempts:
# Event IDs indicating SMB exploitation attempts
# Look in Security and System logs
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} |
Where-Object {$_.Message -match "SMB"} |
Select-Object TimeCreated, Message |
Format-List
Network-level detection — look for port 445 scanning activity:
netstat -an | findstr ":445"
IOCs
Protocol SMBv1 (port 445/TCP)
CVE CVE-2017-0144
Patch MS17-010
DOUBLEPULSAR Kernel backdoor implant — follows EternalBlue exploitation
WannaCry C2 Check network for outbound 443/TCP to Tor exit nodes
WannaCry Kill iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (kill switch domain)
(Do NOT query — historical reference only)
NotPetya No kill switch — wiper malware, not ransomware
Scanning Pattern Sequential port 445 scans across /24 subnet range
Mitigation — PowerShell Commands
Step 1 — Disable SMBv1 (Server):
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Step 2 — Disable SMBv1 (Client):
Set-SmbClientConfiguration -EnableSMB1Protocol $false -Force
Step 3 — Disable SMBv1 via Windows Features (belt and suspenders):
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Step 4 — Block port 445 inbound at firewall:
New-NetFirewallRule -Name "Block-SMBv1-Inbound" -DisplayName "Block SMBv1 Inbound" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
Step 5 — Apply MS17-010 patch if not already applied:
Run Windows Update or deploy KB4012212 (Win 7), KB4012213 (Server 2012), KB4012214 (Server 2008) as appropriate for your OS version.
Step 6 — Verify:
Get-SmbServerConfiguration | Select EnableSMB1Protocol
# Expected: EnableSMB1Protocol : False
Disabling SMBv1 may break legacy applications that require it. Test in a non-production environment first. Windows 10 1709+ and Windows Server 2019+ ship with SMBv1 disabled by default. All earlier versions must be explicitly disabled.
Sources & References
— NVD — CVE-2017-0144
— Microsoft Security Bulletin MS17-010
— CISA Known Exploited Vulnerabilities Catalog
— MITRE ATT&CK — T1210 Exploitation of Remote Services
— Microsoft — Detect, enable and disable SMBv1, SMBv2, and SMBv3
— Microsoft Security Bulletin MS17-010
— CISA Known Exploited Vulnerabilities Catalog
— MITRE ATT&CK — T1210 Exploitation of Remote Services
— Microsoft — Detect, enable and disable SMBv1, SMBv2, and SMBv3
Barr Cyber — Endpoint Hardening & System Configuration
SMBv1 elimination is one of the first controls applied in every Barr Cyber endpoint hardening engagement. If your machines have never been audited for legacy protocol exposure, contact Barr Cyber.
Get in Touch →