This week, Microsoft issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix for it on Windows XP, an operating system it officially abandoned five years ago.

There’s maybe no better sign of a vulnerability’s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This week’s vulnerability has similarly devastating implications. In fact, Microsoft itself has drawn a direct parallel.

“Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of incident response for the Microsoft Security Response Center, wrote in a statement announcing the patch Tuesday. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

Microsoft is understandably withholding specifics about the bug, noting only that it hadn’t seen an attack in action yet, and that the flaw relates to Remote Desktop Services, a feature that lets administrators take control of another computer that’s on the same network.

That small parcel of information, though, still gives potential attackers plenty enough to go on. “Even mention that the area of interest is Remote Desktop Protocol is sufficient to uncover the vulnerability,” says Jean Taggart, senior security researcher at security firm Malwarebytes.

Expect that to happen quickly. “This will be fully automated in the next 24 to 48 hours and exploited by a worm,” says Pieter Danhieux, CEO of secure coding platform Secure Code Warrior, referring to the class of malware that can propagate across a network without any human interaction, such as clicking the wrong link or opening the wrong attachment. Like the Blob, it just spreads.

Once that worm gives hackers access to those devices, the possibilities are fairly limitless. Danhieux sees ransomware as a likely path; Taggart ticks off spam campaigns, DDoS, and data harvesting as possibilities. “Take your pick,” he adds. “Suffice to say, a lot.”

The saving grace for all of this is that computers running Windows 8 and up aren’t affected. But it’s important not to underestimate the danger that Windows XP computers can still pose. Estimates vary, but analytics company Net Marketshare says that 3.57 percent of all desktops and laptops still run Windows XP, which was first released in 2001. Conservatively, that's still tens of millions of devices on Windows XP—more than are running on the most recent version of MacOS. Moreover, you can assume with some confidence that almost none of those computers are ready for what’s coming.

"When you’re dealing with patching, it’s a balancing act." Richard Ford, Forcepoint

Yes, plenty of Windows XP users are just folks who haven’t dusted off their Dell Dimension tower since the last Bush administration. It seems unlikely that they'll ever get around to installing this latest patch, especially given that you need to seek it out, and download and install it yourself. It’s hard enough to get people to update modern systems with their incessant nagging popups; one imagines that those still on Windows XP are in no rush to visit the Microsoft Update Catalog.

More troubling, though, are the countless businesses and infrastructure concerns that still rely on Windows XP. As recently as 2016, even nuclear submarines had it on board. For the most sensitive use cases—like, say, nukes—companies and governments pay Microsoft for continued security support. But the bulk of hospitals, businesses, and industrial plants that have Windows XP in their systems don’t. And for many of those, upgrading—or even installing a patch—is more difficult than it might seem.