CVE-2021-4104

HIGH EXPLOITED

Apache Log4j 1.2 - Remote Code Execution via JMSAppender JNDI Requests

Title source: llm

Exploitation Summary

CVE-2021-4104 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including cckuailong, JAckLosingHeart, cuijiung.

AI-analyzed exploit summary This repository contains a minimal stub for CVE-2021-4104 (Log4j 1.x RCE) but lacks functional exploit code. The README describes prerequisites (JMS environment and log4j.properties modification) and references Log4Shell 2.x, while the Java file is a basic Log4j logging example without exploitation logic.

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Exploits (3)

nomisec STUB 20 stars

by cckuailong · poc

https://github.com/cckuailong/log4shell_1.x

View Code ZIP pw:eip

This repository contains a minimal stub for CVE-2021-4104 (Log4j 1.x RCE) but lacks functional exploit code. The README describes prerequisites (JMS environment and log4j.properties modification) and references Log4Shell 2.x, while the Java file is a basic Log4j logging example without exploitation logic.

Classification

Stub 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Apache Log4j 1.x

Auth required

Prerequisites: JMS environment on target · ability to modify log4j.properties

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github STUB 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/log4j-CVE-2021-4104

View Code ZIP pw:eip

The repository contains a minimal Java test file that logs a debug message using Log4j but does not demonstrate any exploit for CVE-2021-4104. It lacks the crafted payload or malicious input required to trigger the vulnerability.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Log4j (unspecified version)

No auth needed

Prerequisites: Log4j library in classpath

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 29, 2026 Full analysis →

nomisec WORKING POC

by cuijiung · poc

https://github.com/cuijiung/log4j-CVE-2021-4104

View Code ZIP pw:eip

This PoC demonstrates CVE-2021-4104, a Log4j 1.x RCE vulnerability via JMS deserialization. The Evil.java class exploits the vulnerability by executing arbitrary code (calc.exe) when instantiated, while Test.java simulates a vulnerable Log4j 1.x environment.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Log4j 1.x

Auth required

Prerequisites: Target must have JMS environment · Attacker must modify log4j.properties file

MITRE ATT&CK