A new vulnerability emerged in the past few hours is causing the security experts of the IT sector to worry a lot: it’s called Log4Shell and if exploited it allows the bad guys to execute code remotely, giving the ability for hackers to compromise infected servers and machines.

The previously unknown vulnerability was found within the Log4j library, a log library used by many applications and online services. Logging systems are used by virtually any network security system (and more), so you can view reports in case of errors or problems, which is why the Log4Shell vulnerability could have a really big impact.

According to the statements made to The Verge by Cloudflare CTO John Graham-Cumming, “This is a very serious vulnerability, due to the spread of Java and the Log4j library. There is a huge amount of Java software connected to the network and in the back-ends of the systems. If I think about the past 10 years, there are only two such serious exploits: Heartbleed, which allowed information to be obtained from theoretically secure servers, and Shellshock, which allowed code to be executed on a remote machine ”.

The Log4j library has already received a patch which mitigates the vulnerability, but given the large number of machines to update and the time required to do so, Log4Shell remains a very worrying threat.

Researcher Marcus Hutchins, famous for blocking WannaCry malware, he declared that “millions of apps use Log4j for logging, and all an attacker has to do is make the application log a special string”. To exploit the vulnerability, hackers must ensure that the software saves a string of special characters in the log file. These files usually collect a lot of data, which works in the hackers’ favor, as the vulnerability is very easy to exploit.

As reported by Ars Technica, Log4Shell was initially found on Minecraft servers, where hackers were able to exploit it simply by writing messages in chat. The security company GreyNoise claims that it has already identified several servers looking for machines vulnerable to the exploit.

LunaSec stated that too Steam and iCloud are vulnerable to Log4Shell. Doug Lombardi, a representative of Valve, said that the company’s engineers checked the machines immediately and, thanks to the security rules regarding untrusted code, they do not believe that Steam is at risk.