Refining the code could yield an exploit similar to WannaCry that can spread and cause havoc on its own.
The vulnerability was announced by security firms Fortinet and Cisco on 10 March, apparently after a leak from Microsoft, and then pulled from the Web. That was the day Microsoft was expected to release its normal load of security advisories.
Two days later, with no explanation, Microsoft issued a patch that it said would plug the hole.
"Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable," the researcher wrote.
"Sometimes you BSOD [blue screen of death, which is seen when a screen dump takes place on Windows]. Using this for any purpose other than self-education is an extremely bad idea. Your computer will burst in flames. Puppies will die."
The vulnerability, CVE-2020-0796, is described by Microsoft as a SMBv3 Client/Server remote code execution vulnerability.
It is present in Windows 10 versions 1903 and 1909 and in Windows Server versions 1903 and 1909, all recent iterations of the operating system.