Two years on, 1 in 4 apps still vulnerable to Log4Shell