Homeland Security’s cyber agency says it has tested a working exploit for the BlueKeep vulnerability, capable of achieving remote code execution on a vulnerable device.

To date, most of the private exploits targeting BlueKeep would have triggered a denial-of-service condition, capable of knocking computers offline. But an exploit able to remotely run code or malware on an affected computer — an event feared by government — could trigger a similar global incident similar to the WannaCry ransomware attack in 2017.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed in an alert Monday it had used BlueKeep to remotely run code on a Windows 2000 computer.

Although there have been no public exploits have been released, CISA’s alert is a warning that it’s a matter of time before malicious attackers could achieve the same results.

Both Microsoft and the federal government have sounded the alarm in recent weeks over the risks posed by BlueKeep.

The bug, also known as CVE-2019-0708, is a critical-rated bug that affects computers running Windows 7 and earlier, including several server operating systems. The vulnerability can be used to run code at the system level, allowing full access to the computer — including its data. The bug is also “wormable,” meaning it can spread from a single computer connected to the internet to every other affected device on the network.

Microsoft issued patches last month, but as many as a million devices remain vulnerable. Kevin Beaumont, a U.K.-based security researcher, said in a tweet that the number of affected devices “will be way, way higher” once exploit code hits inside an organization.

The National Security Agency earlier this month also issued a rare advisory, warning users to patch “in the face of growing threats” of exploitation,

If there’s ever been a time to patch, it’s now.