Log4Shell Downloaded 40 Million Times in 2025
Sonatype has claimed that 13% of Log4j versions downloaded this year were vulnerable to the legacy critical Log4Shell bug
Log4Shell is a critical flaw in Apache Log4j that can let attackers execute code remotely in Java applications using the library.
Search across headline titles and summaries.
Background for this topic.
Log4Shell is a remote-code-execution vulnerability in Apache Log4j, a Java library used to record application events. Identified as CVE-2021-44228, it can be triggered when an affected Log4j version processes attacker-controlled text containing a specially crafted lookup. In vulnerable configurations, that lookup can cause the application to contact an attacker-controlled service and load code, potentially giving the attacker control of the host. Exploitation is not automatic in every deployment, but the library’s widespread use made the vulnerability significant.
Security teams must account for Log4j bundled inside applications and other dependencies, not only software they installed directly. Vulnerability management therefore requires dependency inventory, version verification, and upgrading or otherwise mitigating affected installations according to Apache’s guidance. Teams should also review application and network logs for exploitation attempts, restrict unnecessary outbound connections, and investigate systems that may have processed malicious lookups. If compromise is suspected, response may require isolating the host and rotating credentials or secrets accessible to the affected process.
Sonatype has claimed that 13% of Log4j versions downloaded this year were vulnerable to the legacy critical Log4Shell bug