72% of Organisations Remain Vulnerable to “Nightmare”

Tenable, the Exposure Management company, today announced the results of a telemetry study examining the scope and impact of the critical Log4j vulnerability, known as Log4Shell, in the months following its initial disclosure. According to the data collected from over 500 million tests, 72% of organizations remain vulnerable to the Log4Shell vulnerability as of October 1, 2022. The data highlights legacy vulnerability remediation challenges, which are the root cause of the majority of data breaches.

When Log4Shell was discovered in December 2021, organizations around the world scrambled to determine their risk. In the weeks following its disclosure, organizations significantly reallocated resources and invested tens of thousands of hours to identification and remediation efforts. One federal cabinet department reported that its security team devoted 33,000 hours to Log4j vulnerability response alone.

Tenable telemetry found that one in 10 assets1 was vulnerable to Log4Shell as of December 2021, including a wide range of servers, web applications, containers and IoT devices. October 2022 data showed improvements, with 2.5% of assets vulnerable. Yet nearly one third (29%) of these assets had recurrences of Log4Shell after full remediation was achieved.

“Full remediation is very difficult to achieve for a vulnerability that is so pervasive and it’s important to keep in mind that vulnerability remediation is not a ‘one and done’ process,” said Bob Huber, chief security officer, Tenable. “While an organization may have been fully remediated at some point, as they’ve added new assets to their environments, they are likely to encounter Log4Shell again and again. Eradicating Log4Shell is an ongoing battle that calls for organizations to continually assess their environments for the flaw, as well as other known vulnerabilities.”

Other key findings from the data include:

  • 28% of organizations across the globe have fully remediated Log4Shell as of October 1, 2022, a 14-point improvement from May 2022.
  • 53% of organizations were vulnerable to Log4j during the time period of the study, which underscores the pervasive nature of Log4j and the necessary ongoing efforts to remediate even if full remediation was previously achieved.
  • As of October 2022, 29% of vulnerable assets saw the reintroduction of Log4Shell after full remediation was achieved.
  • Some industries are in better shape than others, with engineering (45%), legal services (38%), financial services (35%), non-profit (33%) and government (30%) leading the pack with the most organizations fully remediated. Approximately 28% of CISA-defined critical infrastructure organizations have fully remediated.
  • Nearly one third of North American organizations have fully remediated Log4j (28%), followed by Europe, Middle East and Africa (27%), Asia-Pacific (25%) and Latin America (21%).
  • Similarly, North America is the top region with the percentage of organizations that have partially remediated (90%), Europe, Middle East and Africa (85%), Asia-Pacific (85%), and Latin America (81%).

To read other news stories and exclusives, see our latest issue here.

Never miss a story… Follow us on:
LinkedIn Security Buyer
Twitter logo @SecurityBuyer
Facebook @Secbuyer

Media Contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Gallagher

Gallagher Security cultivates key partnerships in Riyadh

Organised in partnership with the New Zealand Embassy, Gallagher Security hosted an event in Riyadh to explore business…
EcoOnline

EcoOnline appoints Regional Director

EcoOnline has announced its expansion into the Middle East, reinforcing its commitment to support the region’s industrial…
DuoKey at GISEC

A Breakthrough in Fraud Detection at GISEC

DuoKey will unveil its groundbreaking use case for encrypted financial intelligence at GISEC Global in Dubai next week.
Image provided by SentinelOne

SentinelOne to Spotlight AI-Power at GISEC 2025

SentinelOne announces its participation at GISEC Global 2025 (6-8 May) at the Dubai World Trade Centre. The company will highlight..
Image provided by Intersec

Messe Frankfurt Middle East appoint new Director

Messe Frankfurt Middle East, organisers of Intersec, the event for safety, security and fire protection, and Light + Intelligent Building…
Image provided by Veeam

AI and Ransomware: Cutting Through the Hype

Rick Vanover, Vice President Product Strategy, Veeam discusses how It might be the great paradox: Artificial Intelligence (AI)….
Rasheed Alzahrani

Big Interview – Rasheed Alzahrani

Rasheed Alzahrani, Director of Safety and Security at King Salman Park Foundation, shares insights into innovative safety and security… 
Copyright: Security Buyer

AmiViz Partners with Titania

AmiViz announced a strategic distribution agreement with Titania. This collaboration underscores a shared commitment to enhancing…
Malik Alyousef, Co-founder & COO, Mozn

Mozn Unveils a New Generation of AI Fraud Prevention

FOCAL by Mozn strengthens its Fraud Prevention Suite with Device Fingerprinting, Fraud Analytics, and Fraud Management as a Service…
Ettiene van der Watt - Regional Director - MEA, Axis Communications

Axis Communications: Emerging trends in the Middle East

Ettiene Van Der Watt, Regional Director, Middle East & Africa at Axis Communications spoke with International Security Buyer at Intersec..
Scroll to Top