Digging Into the Numbers One Year After Log4Shell

April 10, 2023

One year ago, Log4Shell, a critical zero-day vulnerability, made headlines. It affected logging libraries used by millions of developers in Java applications as well as cloud services like iCloud, Cloudflare and Minecraft servers.

Once the government was made aware of this vulnerability, it took swift action by issuing an emergency directive for civilian federal agencies. This mandate required them to identify all software solution stacks accepting data input from the internet, map them to a government-run GitHub repository containing known software assets using vulnerable code, and patch any affected instances immediately.

1. Number of Vulnerable Systems

One year after the Apache Software Foundation discovered a critical flaw in Log4j logging framework, Tenable’s data shows an increasing number of organizations still vulnerable. Based on 500 million tests performed, nearly seven out of 10 organizations remain susceptible to this issue–even those which had previously taken steps to mitigate it.

Bob Huber, Tenable security chief, stressed the need for ongoing monitoring of Log4j versions in order to address remediation needs as they arise. According to Huber, one common reason organizations continue experiencing recurrences of the issue is when new assets are added into an environment.

It’s essential to recognize that Log4j is not an isolated issue; its usage across various Java applications and services leaves systems vulnerable to potential exploitation. This includes everything from cloud solutions to web servers and apps, placing organizations at risk of compromise.

That is why security teams have been diligently scanning for vulnerable systems. This includes both internally developed and third-party applications, as well as some open source software. Furthermore, it’s essential to review hardware that is not part of an organization’s infrastructure but used by a partner or vendor.

Threat actors often search for systems they can utilize to collect intelligence, exfiltrate data and carry out other illegal activities. This may include malware infections, lateral movement and privilege escalation as well as financial gain.

Security professionals around the world continue to warn organizations about this widespread vulnerability. Critical infrastructure operators and businesses that handle sensitive information are especially at risk, as impacted services could become highly visible targets for cybercriminals. Therefore, organizations need to take immediate steps to secure their software supply chains and infrastructures. Fortunately, those who take time to address this threat will be better equipped to defend against future cyberattacks; however, doing so may take some effort and time.

2. Number of Vulnerable Applications

One year after the Log4Shell flaw was first identified, it continues to affect businesses worldwide. And as more organizations struggle to fully mitigate this critical vulnerability, the larger it becomes.

Over the last year, cybercriminals have utilized Log4Shell in multiple ways to install malware, launch ransomware attacks and spread Mirai botnet attacks against government and corporate targets across the US, China and Middle East. According to Cisco Talos, ransomware groups as well as cryptocurrency mining gangs have taken advantage of this vulnerability.

In December 2021, CVE-2021-44228 was identified as the vulnerability that allowed hackers to take control of vulnerable applications by injecting a single line of code into the system’s logging utility. This enabled remote code execution (RCE), which allows cybercriminals to execute applications as if they were an authenticated user and run them as though they were in control.

Although this issue has made the news this year, it may not be as widespread as many experts had initially suspected. That’s because the vulnerable component is more than one layer deep within a binary’s dependency tree; it can be found in several nested JAR files and used by numerous third-party libraries.

Though the library has been fixed, a significant number of applications remain vulnerable. As of October, vulnerability scanning firm Tenable reported that more than 70% of scanned organizations remain susceptible to this flaw.

Although this figure represents an improvement from earlier in the year, it remains a high percentage. Tenable has also observed that 29% of analyzed assets have experienced recurrences of Log4Shell after initial remediation.

The primary cause of this is due to an outdated version of Log4j being utilized on many web apps and services. This presents a major issue as more companies move their development and deployment processes into the cloud.

Therefore, companies need to be able to quickly detect and remediate vulnerabilities in their web applications. Furthermore, organizations must implement continuous vigilance and monitoring to prevent the recurrence of Log4j or other serious security flaws that could negatively affect a business.

3. Number of Vulnerable Servers

One year after the publication of Log4Shell, researchers are still finding servers exploited by threat actors to take advantage of its vulnerability. This critical flaw was quickly used to compromise virtualization infrastructure, install ransomware, steal credentials, control compromised networks and access Microsoft Security reports among other malicious activities.

The attackers were able to gain complete control over a range of systems via one malicious code injection. They then exploited this compromised infrastructure to create botnets and spam campaigns, while installing backdoors that would facilitate future criminal activities such as ransomware attacks.

With time, nation-state-backed hacker groups began exploiting this vulnerability. Most notably, Iranian government-sponsored attackers utilized Log4Shell to gain access to a VMWare Horizon server and remain undetected for over three months.

Other serious exploitation attempts have included malicious actors launching Mirai botnets that target Internet-of-Things devices like IP cameras and smart TVs, as well as malware infection campaigns aimed at gaining initial access to an environment. All these operations typically serve to perform privilege escalation, lateral movement, and data exfiltration.

Many of these exploitation cases remain active and could continue indefinitely. It’s essential to note that these attacks do not target any particular group of users and occur more frequently than most would expect.

Hackers typically avoid detection by scanning a target system for vulnerabilities. While larger organizations have taken immediate steps to patch this flaw, many small and midsized businesses could still be at risk from an exploitable version of Log4Shell lurking on their servers.

Therefore, taking steps to address the risk of an insecure version of Log4Shell is paramount for preventing an attacker from taking over a system. There are various tools that can help identify vulnerable versions, such as Sophos XDR (extended detection and response). It detects Linux servers with Debian-style or Red Hat-style Log4j packages included in their distro and reports their version in use. This makes it simple to identify any out-of-date systems which may still expose their users to this security flaw.

4. Number of Vulnerable IoT Devices

One year after Log4Shell, a security bug which enabled thousands of IoT devices to be hijacked in December 2016, investigating the numbers has been an eye-opening experience. It serves as a reminder that while the IoT offers immense potential, it also poses significant cybersecurity threats.

Internet of Things (IoT) devices that are insecure, such as IP cameras, VoIP systems and home appliances. These vulnerable items are easy to exploit and pose a danger to your network, business operations and personal data.

According to Forescout’s research, IoT devices with weak passwords or compromised default credentials are particularly vulnerable to attack. This makes them a prime target for cybercriminals looking to access sensitive information or launch DDoS attacks.

Fortunately, there are several steps you can take to safeguard your IoT devices and guarantee their safety. These include limiting their exposure to the internet, using strong passwords, and choosing secure settings.

Another essential step is updating IoT devices with the most up-to-date patches. This step is particularly important since many IoT devices lack the resources to update themselves automatically and require manual intervention. The ideal approach would be using a firmware upgrade that can be applied remotely.

Additionally, device updates can be delivered using machine-to-machine authentication and encryption to guarantee their integrity. Doing so helps prevent malware from spreading or hackers from taking control of an IoT device and altering its software.

Implementing and monitoring these measures can be a hassle, making them especially important to perform vulnerability testing and penetration tests on IoT devices before they go live in production environments.

Manufacturers must also be able to apply patches on these devices when they are discovered. Unfortunately, this can be a challenge since these devices may be located in remote places and it may be difficult to access them for applying patches.

IoT devices are becoming an integral part of our lives and businesses alike. But this doesn’t make them immune from potential breaches in security that could do serious harm to a business or organization.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Security Practitioners Should Understand Their Business

Security Practitioners Should Understand Their Business

Discover why security practitioners should understand their business context for more effective cybersecurity strategies. With devastating data breaches and ransomware attacks dominating headlines and putting people’s lives at risk, cybersecurity has been elevated to...

Shadow Data is A Growing Risk

Shadow Data is A Growing Risk

Shadow data: A growing risk to your organization's security. Learn how to tackle and mitigate this growing threat. Businesses are embracing the cloud for multiple reasons, including cost savings and business acceleration. But these gains are accompanied by growing...

Delinea Adds New Features

Delinea Adds New Features

Delinea adds new features for its privilege manager and devops secrets vault that reduce friction on workstations and help balance security and velocity. This includes enhanced privilege elevation workflows and improvements to our native MacOS agent for the latest...

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us