Cyber actors will almost certainly exploit the Apache Log4j vulnerability, publicly disclosed in December 2021 as a severe risk, to compromise unpatched US networks over the coming year. This vulnerability is particularly attractive to malicious actors because websites, applications, and software tools worldwide use Log4j open source software for logging, debugging, and other required functions. Exploiting this flaw could allow cyber actors to steal data, install malware, or conduct ransomware or other cyber attacks. State and non-state cyber actors typically continue to scan for disclosed vulnerabilities in unpatched networks months or years later, according to a US Government report.