Blog /

Detecting Log4Shell in Cipher Scans: A Hidden Risk

Detecting Log4Shell in Cipher Scans: A Hidden Risk

Published: November 15, 2025

Log4Shell (CVE-2021-44228) remains a top exploited vulnerability in 2025. But many miss a critical vector: TLS termination at edge devices.

The Attack Chain

  1. Attacker sends: User-Agent
  2. Load balancer (HAProxy, Nginx, F5) logs the header
  3. log4j in the LB triggers RCE
  4. Backend Java app may be patched — but the edge is not

Role of Weak Ciphers

Weak ciphers enable downgrade attacks:

  • TLS_RSA_WITH_RC4_128_MD5 allows protocol downgrade
  • Attacker forces TLS 1.0 + malicious header
  • Even patched backends are bypassed

Scan Example


nmap --script ssl-enum-ciphers -p 443 lb.example.com
| TLSv1.0:
|   TLS_RSA_WITH_RC4_128_MD5 (F)

Mitigation

  • Disable RC4, 3DES, TLS 1.0/1.1 at the edge
  • Use TLS 1.3 + HSTS
  • Remove log4j from frontends or disable message lookup
  • Scan all TLS endpoints with the Weak Cipher Tester

FAQ

Is Log4Shell still active in 2025?

Yes — CISA lists it in the KEV catalog. Edge devices are often forgotten.

Can CDN protect against this?

Only if it strips malicious headers before logging.

Should I scan my CDN?

Yes — Cloudflare, Akamai, Fastly terminate TLS too.

Log4Shell isn’t dead. Your edge might be the entry point.