Homeland Securitys cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of acritical-rated security vulnerability in server versions of Microsoft Windows. The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert requiring all federal departments and agencies toimmediately patch any Windows servers vulnerable to the so-called Zerologon attack, citing anunacceptable risk to government networks.

Its the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a networks security. The bug was appropriately calledZerologon, because an attacker doesnt need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files. Security company Secura, which discovered the bug, said it takesabout three seconds in practice to exploit the vulnerability. Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers to use the code to launch attacks. CISA said that itassumes active exploitation of this vulnerability is occurring in the wild. Although the CISA alert only applies to federal government networks, the agency said itstrongly urges companies and consumers to patch their systems as soon as possible if not already.