“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.
New Zealand’s Computer emergency response team was among the first to report that the flaw in a Java-language utility for Apache servers used to log user activity was being “actively exploited in the wild” just hours after it was publicly reported Thursday and a patch released.
The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10, the worst possible. Anyone with the exploit can get full access to an unpatched machine.
“The internet’s on fire right now. People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “In the last 12 hours it has been fully weaponized.”