CVE-2021-44832

MEDIUM EXPLOITED IN THE WILD RANSOMWARE

Apache Log4j 2.0-beta7-2.17.0 - Remote Code Execution via JDBC Appender JNDI LDAP Data Source

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-44832 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including cckuailong, name.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2021-44832, a Log4j 2.17.0 RCE vulnerability. It leverages JNDI injection via a malicious LDAP server to achieve remote code execution by loading a malicious configuration file.

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Exploits (2)

nomisec WORKING POC 4 stars
by cckuailong · poc
https://github.com/cckuailong/log4j_RCE_CVE-2021-44832

This repository contains a working PoC for CVE-2021-44832, a Log4j 2.17.0 RCE vulnerability. It leverages JNDI injection via a malicious LDAP server to achieve remote code execution by loading a malicious configuration file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Log4j 2.17.0
No auth needed
Prerequisites: Access to a vulnerable Log4j 2.17.0 instance · Ability to host a malicious LDAP server and HTTP server for the configuration file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by name · poc
https://github.com/name/log4j-scanner

This Rust-based scanner identifies files potentially vulnerable to CVE-2021-44832 by detecting Logger.class files with 'log4j' in their names or JAR files not containing '2.17.1' in their names. It does not exploit the vulnerability but aids in discovery.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j (versions prior to 2.17.1)
No auth needed
Prerequisites: Access to the filesystem containing potential Log4j files
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/LOG4J2-3293
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/12/28/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220104-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 6.6
EPSS 0.5359
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-02-14
InTheWild.io 2022-05-25
Ransomware Use Confirmed
CWE
CWE-20 CWE-74
Status published
Products (45)
apache/log4j 2.0 (6 CPE variants)
apache/log4j 2.0.1 - 2.3.2
Apache Software Foundation/Apache Log4j2 log4j-core - 2.17.1
cisco/cloudcenter 4.10.0.16
debian/debian_linux 9.0
fedoraproject/fedora 34
fedoraproject/fedora 35
oracle/communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle/communications_brm_-_elastic_charging_engine < 12.0.0.4.6
oracle/communications_diameter_signaling_router 8.0.0.0 - 8.5.1.0
... and 35 more
Published Dec 28, 2021
Tracked Since Feb 18, 2026