For cybersecurity workers, 2021 ended with a bang. On Dec. 9, a severe zero-day vulnerability was publicly disclosed in Log4j, a widely used Java logging utility. Dubbed Log4Shell, the flaw allowed an attacker to remotely gain control of a vulnerable device that used the utility. Given Java’s ubiquity, this meant that hundreds of millions of devices were at risk, ranging from servers for enterprise software, cloud hosting, and web applications, to consumer devices such as smart TVs and internet-connected security cameras. What’s more, the flaw was easy to exploit, rendering it accessible to bad actors with no need for high levels of skill, sophistication, or resources. The head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, called the Log4j flaw one of the most serious vulnerabilities she’d ever seen.