EternalBlue Explained: The Windows Bug Behind WannaCry

What Happened

SMB (Server Message Block) is the protocol Windows machines use to share files and printers over a network. A flaw in how the older SMBv1 implementation handled certain crafted network packets let an attacker corrupt memory on the receiving machine and run their own code on it — with no user interaction required.

Microsoft patched this quietly in March 2017. A month later, a hacking toolkit containing a working exploit for it (codenamed EternalBlue) was leaked publicly. Within weeks, the WannaCry ransomware combined EternalBlue with self-spreading "worm" behavior: it didn't need anyone to click anything — it scanned networks for other vulnerable machines and infected them automatically.

What This Means

This is a wormable RCE — the most dangerous possible combination. "Remote code execution" means an attacker can run arbitrary commands on your machine from across a network; "wormable" means malware exploiting it can spread machine-to-machine with zero human action, the same way the Slammer and Conficker worms did in earlier decades.

Why You Should Care

EternalBlue shows the real-world cost of unpatched systems: the fix had existed for two months before WannaCry hit, but huge numbers of organizations — including parts of the UK's National Health Service — were still running unpatched, internet- or network-exposed SMB, and paid for it with encrypted files and halted operations.

What You Can Do

• Apply security patches promptly, especially "critical"-rated ones for network-facing services — patching lag is the single biggest reason old CVEs keep causing new damage.
• Disable SMBv1 entirely if you don't need it; it's been deprecated in favor of SMBv2/3 since long before this CVE.
• Don't expose SMB (port 445) directly to the internet — keep it on internal/trusted networks only, behind a firewall.
• Maintain offline, tested backups, since wormable ransomware can spread faster than a human response team can react.