The FDA is raising awareness of a cybersecurity vulnerability in Apache’s Log4j software library, which is used in medical devices and supporting systems, and a broad range of other systems and applications to log security and performance information.

The vulnerability was found in Apache Log4j versions 2.0-beta9 to 2.14.1. There is active, widespread exploitation of the vulnerability across various industries. These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality. At this time, the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) agency has established a website with additional information that the FDA encourages medical device manufacturers to review and follow the identified recommendations to address the vulnerability.

Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions, the FDA says. As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software and follow the above process to assess the device impact.

Manufacturers who may be affected by this most recent issue should communicate with their customers and coordinate with CISA. As this is an ongoing and still evolving issue, the FDA also recommends continued vigilance and response to ensure medical devices are appropriately secured.

The FDA says medical organizations should report any adverse events or suspected events through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. For more information, see the FDA’s guidance for manufacturers on medical device reporting.