A statement from Microsoft president and chief legal officer Brad Smith on Sunday criticised the way governments store up information about security flaws in computer systems.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he wrote.
"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."
He added: "The governments of the world should treat this attack as a wake-up call."
Microsoft said it had released a Windows security update in March to tackle the problem involved in the latest attack, but many users were yet to run it.
"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," Mr Smith said.
Analysis: Dave Lee, BBC North America technology reporter, San Francisco
There are going to be some tough questions on Monday for those institutions which didn't do enough to keep their networks secure, as well as the organisations that were best placed to stop it happening in the first place - the NSA and Microsoft.
The NSA keeps a chest of cyberweapons to itself so it can hit targets, but Microsoft has long argued that this is dangerous. If there is a flaw in Windows, the company said, surely the safest thing to do is to let its team know straight away so it can be fixed.
But then Microsoft also needs to consider what obligation it has to update all users - not just the ones who pay extra for security on older systems.
Updating your computer if you're an individual is a piece of cake, but for a network the size of Britain's National Health Service? Tough - time-consuming, expensive and complex.
For a company like Microsoft to say it won't keep those systems safe unless they shell out more money, then that in itself is something of a ransom.