Log4j Attack Surface Remains Massive

A recent scan by Rezilion found over 90,000 internet-exposed servers still vulnerable to the Apache Log4j critical remote code execution vulnerability, despite it being disclosed four months ago. The actual figure is likely to be much higher as the scan considered only publicly facing open-source servers. Slow remediation is attributed to the ubiquity of the flaw and the difficulty in identifying it, often buried deep in applications. There is significant concern that attackers may have already exploited the flaw, waiting for the right moment to strike.