The BlueKeep vulnerability is “wormable”, meaning an attacker only has to gain access to one computer in order to gain control of all the other devices on its network. Microsoft already issued patches for the bug last month, but private security firm Errata estimated that millions of devices still remain vulnerable. While an attacker has yet to take advantage of the bug, doing so could easily lead to a repeat of 2017’s WannaCry malware outbreak that impacted systems worldwide, including Britain’s NHS, Honda and FedEx.

CISA is asking users of older Microsoft systems to install the available security updates. Microsoft has even released patches for operating systems that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. If you’re a regular end-user running Windows 7 or older, you’re likely better off upgrading to a newer version of Microsoft for added security.