Not patched Log4j yet? Assume attackers are in your network, say CISA and FBI

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have warned organizations with unpatched Log4j vulnerabilities in VMware Horizon server instances to assume their network has been compromised. Despite a serious security flaw discovered a year ago, some organizations have still not applied the necessary patches or mitigations. CISA found that some networks had been breached by hackers exploiting the Log4j vulnerability, allowing them to steal usernames and passwords.