Back to blog
EternalBlueMS17-010WannaCryWindowsSMBransomware

EternalBlue and MS17-010: The Vulnerability Behind WannaCry

MS17-010, the SMB vulnerability exploited by EternalBlue, is behind WannaCry and NotPetya. Technical analysis, global impact and protection measures.

April 23, 20263 min read

In May 2017, the WannaCry ransomware paralyzed hundreds of thousands of systems across 150 countries in a matter of hours — hospitals, factories, banks. Its weapon: EternalBlue, an exploit developed by the NSA and leaked by the Shadow Brokers group, targeting the MS17-010 vulnerability in Windows' SMBv1 protocol.

What is MS17-010?

MS17-010 is a critical vulnerability in the Windows implementation of the SMB (Server Message Block) protocol — the file and printer sharing protocol used across networks. A flaw in SMBv1 request handling allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

CVSS Score: 9.3 (Critical)
Published: March 14, 2017
Patch: MS17-010 (KB4012212)

Affected Versions

  • Windows XP, Vista, 7, 8, 8.1, 10
  • Windows Server 2003, 2008, 2008 R2, 2012, 2016
  • All versions with SMBv1 enabled

EternalBlue: The NSA's Exploit

EternalBlue is the name of the exploit developed by the NSA for MS17-010, publicly leaked in April 2017 by the Shadow Brokers. It exploits a buffer overflow in SMB transaction handling, allowing shellcode injection and execution.

The exploit is particularly dangerous because:

  • No authentication required — port 445 just needs to be reachable
  • Automatic propagation — WannaCry replicated without human interaction
  • High reliability — near 100% success rate on unpatched systems

WannaCry: The Global Attack

On May 12, 2017, WannaCry combined EternalBlue with DoublePulsar (another NSA backdoor) to spread at unprecedented speed:

  • 300,000+ machines infected within 72 hours
  • 150 countries affected
  • NHS (UK): 80 hospitals paralyzed, operations cancelled
  • Renault: several production plants shut down
  • Deutsche Bahn: information displays hijacked
  • Telefónica: internal network compromised

The ransom demanded: $300–$600 in Bitcoin per machine. But the main damage was data destruction and business disruption.

British researcher Marcus Hutchins discovered a kill switch in the code: registering a specific domain stopped propagation, limiting the attack's scale.

NotPetya: Even More Destructive

A month later, in June 2017, NotPetya used the same EternalBlue but without a kill switch and with no real recovery mechanism — it was a wiper disguised as ransomware. Initially targeting Ukraine, NotPetya caused approximately $10 billion in global damages (Maersk, Merck, FedEx, Saint-Gobain…).

Why Were Systems Still Unpatched?

Microsoft had released MS17-010 in March 2017 — two months before WannaCry. Yet hundreds of thousands of machines remained unpatched:

  1. Legacy systems — Windows XP in hospitals and factories (Microsoft had to release an exceptional XP patch)
  2. Environment complexity — patching in production requires testing
  3. SMBv1 enabled by default — on Windows until 2017
  4. Lack of patch management — many organizations had no structured process

How to Protect Your Systems

1. Apply Windows Patches

The MS17-010 patch has been available since March 2017 for all supported versions. Microsoft even released patches for Windows XP and Server 2003 following WannaCry.

2. Disable SMBv1

# Disable SMBv1 server-side
Set-SmbServerConfiguration -EnableSMB1Protocol $false

# Disable SMBv1 client-side
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

3. Block Port 445 Inbound

Never expose port 445 (SMB) to the internet. Filter it at perimeter firewalls and between network segments.

4. Network Segmentation

WannaCry's rapid spread was enabled by flat networks. VLANs with inter-segment filtering would have dramatically reduced the blast radius.

5. Offline Backups

WannaCry encrypted mounted network drives. Disconnected backups (3-2-1 rule) remain the last line of defense.

EternalBlue in 2024–2025: Still Active

Despite being 8 years old, EternalBlue is still heavily used in cyberattacks. Automated scanners constantly probe the internet for vulnerable machines. Botnets integrate the exploit to spread laterally once an initial foothold is gained.

If you still have unpatched Windows machines or SMBv1 enabled on your network, you remain at risk.

Check your Windows systems on cveo.tech — search for MS17-010 or SMB to see all associated CVEs and compare against your versions.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.