Cyber Resilience

CVE-2017-0146

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 17 March 2017

Published
17 March 2017
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9329 99.8th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0146 is a high-severity an unspecified weakness vulnerability in Siemens Acuson P300 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability is a remote code execution flaw in the SMBv1 server implementation across multiple Microsoft Windows versions, including Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold/1511/1607, and Windows Server 2016. It is triggered by specially crafted packets sent to the server and is distinct from the related issues tracked as CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148. The flaw received a CVSS 3.1 base score of 8.8.

Remote attackers with network access can leverage the vulnerability to execute arbitrary code on affected systems without requiring user interaction or elevated privileges beyond a valid SMB session. Successful exploitation grants full control over the target, enabling actions such as installing malware, exfiltrating data, or pivoting within a network.

Public references associate the issue with DOUBLEPULSAR payload execution and neutralization techniques, along with Siemens product security advisory SSA-701903 that addresses affected industrial systems. Additional tracking appears in SecurityFocus BID 96707 and SecurityTracker ID 1037991.

The listed exploit references indicate active interest in weaponization of the flaw shortly after disclosure.

EU & UK References

Vulnerability details

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016…

more

allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
server message block
1.0
siemens
acuson p300 firmware
13.02, 13.03, 13.20, 13.21
siemens
acuson p500 firmware
va10, vb10
siemens
acuson sc2000 firmware
5.0a · 4.0 — 4.0e
siemens
acuson x700 firmware
1.0, 1.1
siemens
syngo sc2000 firmware
5.0a · 4.0 — 4.0e
siemens
tissue preparation system firmware
all versions
siemens
versant kpcr molecular system firmware
all versions
siemens
versant kpcr sample prep firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by disabling the SMBv1 service (an unnecessary protocol) so crafted packets cannot reach the vulnerable server implementation.

prevent

Blocks inbound SMB traffic at network boundaries, preventing remote attackers from sending the crafted packets that trigger RCE in SMBv1.

prevent

Requires prompt installation of vendor patches that eliminate the SMBv1 remote code execution flaw before exploitation can occur.

References