What is the CVSS score of CVE-2021-44228?

CVE-2021-44228 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Is there a public PoC exploit available for CVE-2021-44228?

Yes, a public proof-of-concept exploit is available for CVE-2021-44228. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2021-44228?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

CVE-2021-44228

CRITICAL

Improper Input Validation (CWE-20)

2021-12-10 security@apache.org

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Feb 20, 2026 - 16:15 cisa

CISA KEV

PoC Detected

Feb 20, 2026 - 16:15 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 16:15 nvd

Patch available

CVE Published

Dec 10, 2021 - 10:15 nvd

CRITICAL 10.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on com.guicedee.services:log4j-core (1 direct, 5 indirect)
598 maven packages depend on org.apache.logging.log4j:log4j-core (254 direct, 347 indirect)

Ecosystem-wide dependent count for version 1.2.1.2-jre17 and other introduced versions.

DescriptionNVD

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

AnalysisAI

Apache Log4j2 contains a critical JNDI injection vulnerability known as 'Log4Shell' that allows unauthenticated remote code execution through crafted log messages, affecting virtually every Java application on Earth and triggering the largest vulnerability remediation effort in history.

Technical ContextAI

The CWE-20 vulnerability in Log4j2's lookup feature automatically processes JNDI references in log messages. When an application logs user-controlled data containing ${jndi:ldap://...}, Log4j resolves the JNDI reference, connecting to an attacker's LDAP server which returns a malicious Java class for execution. The attack surface includes HTTP headers, form fields, usernames, and any other data that reaches a log statement.

Affected ProductsAI

Apache Log4j2 2.0-beta9 through 2.15.0 Virtually every Java application using Log4j2 for logging Cloud services, enterprise software, embedded devices, IoT, and more

RemediationAI

Update Log4j2 to 2.17.1+. If immediate patching is impossible: set log4j2.formatMsgNoLookups=true, remove JndiLookup class from classpath, or upgrade to Java 8u191+ (partial mitigation). Scan all Java applications for Log4j2 usage. This requires organization-wide inventory of all Java deployments.

CVE-2021-44228 vulnerability details – vuln.today

Back

CVE-2021-44228

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code