Log4Shell Downloaded 40 Million Times in 2025
Sonatype has claimed that 13% of Log4j versions downloaded this year were vulnerable to the legacy critical Log4Shell bug
Log4j is a Java logging library whose vulnerabilities, including Log4Shell, can let attackers execute code through dependent applications.
Search across headline titles and summaries.
Background for this topic.
Apache Log4j is a Java library that records application events, such as errors and user activity, to files, consoles, or other destinations. Log4j 2 is distinct from the older Log4j 1.x branch, and both may appear directly or as transitive dependencies inside larger applications and products.
Security attention centers on Log4Shell (CVE-2021-44228), a flaw in Log4j 2’s JNDI lookup processing. When an application logged attacker-controlled text, a vulnerable configuration could contact an attacker-controlled service and potentially execute code. Effective defense requires identifying bundled and indirect Log4j copies, upgrading to a supported fixed release, and treating exposed applications as potential attack surfaces. Monitoring application and network logs for exploit attempts, followed by focused compromise assessment where vulnerable systems were reachable, remains important because patching alone does not establish whether exploitation occurred.
Weekly headline count for the current query.
Sonatype has claimed that 13% of Log4j versions downloaded this year were vulnerable to the legacy critical Log4Shell bug
A new report by Cato Networks found that exploiting old vulnerabilities in unpatched systems is one of threat actors’ favorite initial access vectors
Two years after a critical vulnerability was found in utility Log4j, 38% of apps still use buggy versions
Budworm leveraged the Log4j vulnerabilities to compromise the Apache Tomcat service on servers
In a joint advisory, three US agencies, NSA, CISA and FBI, warned about Chinese threat actors
It is the first campaign in which the hacker group exploits SysAid apps as a vector for initial access
The CSRB concluded that the initial disclosure on Log4j was done right, but there is still much to improve
The analysis provides fresh insights into the notorious Log4j vulnerability
Three members of the RSA Advisory board offered insights into ransomware, Log4j and supply chain security