CVE-2017-0144 Explained: EternalBlue, the NSA Exploit Behind WannaCry and NotPetya
The leaked NSA exploit that weaponized a Windows SMBv1 flaw and enabled the two most destructive cyberattacks in history. What it is, how it works, and why unpatched systems are still being compromised today.
Founder & Cybersecurity Evangelist
CVE-2017-0144 is a critical remote code execution vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol, specifically SMBv1. The flaw allows an unauthenticated attacker to send specially crafted packets to a vulnerable Windows system on port 445 and achieve full remote code execution with SYSTEM privileges — no credentials, no user interaction, no foothold required.
The vulnerability was discovered and weaponized by the NSA as a zero-day exploit called EternalBlue. In April 2017, the Shadow Brokers publicly released EternalBlue along with a cache of other NSA cyberweapons. Microsoft had released patch MS17-010 in March 2017 — one month before the leak. Millions of unpatched systems remained exposed.
One month after the Shadow Brokers release, WannaCry ransomware used EternalBlue to self-propagate across global networks, infecting 300,000+ systems across 150 countries in 72 hours. Weeks later, NotPetya used EternalBlue to devastate global shipping, pharmaceutical, and logistics companies.
How CVE-2017-0144 Works: The EternalBlue Exploit Chain
SMBv1 contains a buffer overflow vulnerability in the way it handles certain transaction requests. A flaw in the parsing of Trans2 OPEN2 requests allows an attacker to send malformed packets that corrupt kernel memory. EternalBlue exploits this by sending a sequence of crafted SMB packets that trigger the buffer overflow, overwrite kernel memory structures, and ultimately achieve execution of arbitrary shellcode in kernel space.
What makes EternalBlue particularly dangerous is its wormable nature: it requires no credentials and no user interaction. Any system with SMBv1 enabled and port 445 reachable is immediately vulnerable. Lateral movement through internal networks is trivial — an attacker or worm compromising one machine can immediately scan and exploit all other vulnerable systems on the same network segment.
Network Discovery
Attacker or worm scans for systems with port 445 (SMB) open. EternalBlue requires only network connectivity — no credentials whatsoever.
SMBv1 Negotiation
Attacker initiates SMB session negotiation, confirming the target supports SMBv1, which was enabled by default on Windows XP through Server 2008 R2.
Malformed Trans2 Packets
Attacker sends a sequence of specially crafted Trans2 OPEN2 requests exploiting the buffer overflow in the SMBv1 transaction handling code.
Kernel Memory Corruption
The malformed packets trigger a buffer overflow overwriting kernel pool memory structures, enabling control of the instruction pointer.
SYSTEM-Level Code Execution
Shellcode executes in kernel context with SYSTEM privileges. EternalBlue typically installs DoublePulsar — a kernel-level backdoor — which then loads the final payload.
Lateral Movement
The compromise is used to scan and attack additional systems on the same network, enabling worm-like self-propagation as demonstrated at scale by WannaCry and NotPetya.
Affected Versions and Real-World Impact
CVE-2017-0144 affects all Windows versions with SMBv1 enabled by default: Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows 10, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, and Windows Server 2016. Windows XP and Server 2003 were also vulnerable and received exceptional out-of-band patches in May 2017.
WannaCry (May 12, 2017): Infected 300,000+ systems in 150 countries within 72 hours. Disrupted the UK National Health Service, causing cancelled surgeries. Attributed to North Korea. Total damages: $4–8 billion.
NotPetya (June 27, 2017): Devastated global networks using EternalBlue combined with credential-harvesting tools. Hit Maersk ($300M damages), Merck ($870M), FedEx TNT ($400M). Attributed to Russian military intelligence. Total damages: $10+ billion — the most destructive cyberattack in history.
“NotPetya was a cyberweapon disguised as ransomware. It was designed to destroy, not extort.”
— US Department of Justice Indictment, February 2020
How to Patch and Mitigate CVE-2017-0144
Microsoft released patch MS17-010 on March 14, 2017. Any system that applied this patch before May 2017 was protected against WannaCry. Unpatched systems remain actively exploited to this day by ransomware operators for internal network propagation.
Apply MS17-010 immediately
Install Security Bulletin MS17-010. Standalone packages are available on the Microsoft Update Catalog for all affected versions including XP and Server 2003.
Disable SMBv1 entirely
SMBv1 is a 30-year-old protocol with no modern use case. Disable it via PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false
Block port 445 at the network perimeter
Block inbound TCP port 445 at all internet-facing firewalls. SMB should never be exposed to the internet. Also restrict lateral SMB access between workstations using host-based firewall rules.
Isolate or decommission EOL systems
Windows XP and Server 2003 cannot receive regular updates. Isolate them on separate VLANs with no SMB access to or from the broader network, or decommission entirely.
The bottom line
CVE-2017-0144 and EternalBlue remain among the most actively exploited vulnerabilities on the internet today. Ransomware operators continue using EternalBlue for internal network propagation years after its disclosure. If SMBv1 is still enabled on any system in your environment, that system is compromised-in-waiting. Disable SMBv1, apply MS17-010, and segment your network so SMB is never reachable across trust boundaries.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.