National Security

‘Most Serious I’ve Seen’: Cybersecurity Flaw Could Expose ‘Hundreds Of Millions’ Of Devices

(Photo by Kevin Dietsch/Getty Images)

Daily Caller News Foundation logo
Ailan Evans Deputy Editor
Font Size:

Cybersecurity officials are urging federal agencies and infrastructure companies to take action against a recently-discovered coding vulnerability in a common software tool that threatens to compromise millions of devices.

The vulnerability, known as Log4Shell, is found in an open-source software tool called Log4J that is used by almost every major cloud service provider and enterprise software firm, according to cybersecurity firm CrowdStrike. Hackers can exploit the flaw to gain access to a company’s internal networks, allowing them to steal data, destroy information and take control of a company’s systems.

“We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability,” Jen Easterly, head of the Cybersecurity Infrastructure and Security Agency (CISA), said in a statement Saturday, shortly after the flaw was discovered.

The vulnerability could affect potentially “hundreds of millions” of devices, Eric Goldstein, executive assistant director of cybersecurity at CISA, told reporters. However, the agency has yet to detect any major attacks on infrastructure or federal authorities. (RELATED: Foreign Hackers Stole Information From Defense Contractors, Researchers Say)

CISA issued a notice Wednesday informing critical infrastructure companies to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Easterly and other CISA officials also held a call with the heads of several critical infrastructure firms Monday to explain the severity of the issue and to urge immediate action.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly said in the meeting, according to CyberScoop. “The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.”

Easterly reportedly said that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.”

All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact