The patch (MS05-039) addresses a flaw in the Windows Plug-and-Play system, which automatically recognises and configures devices as they are plugged in to the computer.
Security testers at eEye claim to have found two separate examples of working exploit code in the past few hours that could give full control of a target PC.
"On discovering two instances of exploit code online, the research team conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched Service Pack 4 with all hotfixes)," said the company in an alert.
"One exploit, released by an anonymous author, will bind a command prompt to TCP port 8721. Users should consider this patch highly critical, and should install it as soon as possible."
Computers running Windows XP and Server 2003 are also at risk, although the exploit is more difficult to use on these machines. Microsoft is urging all users to apply the patch as quickly as possible.
EEye has a free scanning utility for computer users to test whether they are vulnerable.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws