Cyber Resilience

CVE-2021-44228

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCEDDoS

Published: 10 December 2021

Published
10 December 2021
Modified
20 February 2026
KEV Added
10 December 2021
Patch
11 December 2021
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-44228 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Webex Meetings Server. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

Apache Log4j2 versions 2.0-beta9 through 2.15.0, excluding the security releases 2.12.2, 2.12.3, and 2.3.1, are affected by a flaw in JNDI features used within configuration, log messages, and parameters. These features do not protect against attacker-controlled LDAP and other JNDI endpoints, enabling arbitrary code execution when message lookup substitution is enabled. The issue is specific to log4j-core and carries a CVSS 3.1 score of 10.0.

An attacker able to control log messages or log message parameters can trigger the vulnerability to load and execute arbitrary code from remote LDAP servers. No privileges or user interaction are required, and the attack can be performed over the network with impacts to confidentiality, integrity, and availability.

The provided references include multiple public proofs of concept for remote code execution and information disclosure against affected versions, along with vendor advisories. The underlying description states that the behavior was disabled by default starting in 2.15.0 and the functionality was fully removed in 2.16.0 and the listed security releases.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages…

more

or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

CVEs Like This One

CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2023-4911Same product: Debian Debian Linuxboth on KEV
CVE-2022-0847Same product: Fedoraproject Fedoraboth on KEV
CVE-2021-3156Same product: Debian Debian Linuxboth on KEV
CVE-2020-1472Same product: Debian Debian Linuxboth on KEV
CVE-2025-0411Same product: Netapp Active Iq Unified Managerboth on KEV
CVE-2024-54085Same product class: NAS / storage applianceboth on KEV
CVE-2021-45046Same product: Apache Log4Jboth on KEV
CVE-2025-24970Same product: Netapp Active Iq Unified Manager
CVE-2025-1736Same product class: NAS / storage appliance

Affected Assets

siemens
6bk1602-0aa12-0tp0 firmware
≤ 2.7.0
siemens
6bk1602-0aa22-0tp0 firmware
≤ 2.7.0
siemens
6bk1602-0aa32-0tp0 firmware
≤ 2.7.0
siemens
6bk1602-0aa42-0tp0 firmware
≤ 2.7.0
siemens
6bk1602-0aa52-0tp0 firmware
≤ 2.7.0
apache
log4j
2.0 · 2.0.1 — 2.3.1 · 2.4.0 — 2.12.2 · 2.13.0 — 2.15.0
siemens
sppa-t3000 ses3000 firmware
all versions
siemens
capital
2019.1 · ≤ 2019.1
siemens
comos
≤ 10.4.2
siemens
desigo cc advanced reports
3.0, 4.0, 4.1, 4.2, 5.0
+133 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remove the JNDI lookup functionality in Log4j 2.16.0+.

prevent

Mandates applying the secure configuration setting (log4j2.formatMsgNoLookups=true or equivalent) that disables message lookup substitution in affected versions.

prevent

Enforces boundary rules that block unauthorized outbound LDAP/JNDI connections used by the attacker-controlled endpoints in this CVE.

References