SANS ISC shares potential for one of the critical CVEs patched to work without interaction on unpatched systems (as a network “worm” attack).  ADMINs should promptly update all vulnerable systems

Microsoft May 2021 Patch Tuesday (sans.edu)

One of the critical vulnerabilities which requires special attention this month is a remote code execution (RCE) on HTTP Protocol Stack(CVE-2021-31166). An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. This vulnerability requires no user authentication or interaction – thus, it is considered a wormable vulnerability. The vulnerability affects different versions of Windows 10, Windows Server 2004 and Windows Server 20H2 and has a CVSS score of 9.8.