A wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server can also be used to attack unpatched Windows 10 and Server systems publicly exposing the WinRM (Windows Remote Management) service. Microsoft already patched the critical bug tracked as CVE-2021-31166 during the May Patch Tuesday. Over 2 million Windows systems reachable over the Internet are exposed the vulnerable WinRM service. The vulnerability only impacts versions 2004 and 20H2 of Windows 10 or Windows Server versions.
Source: https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/