Log4Shell (CVE-2021-44228) was a critical vulnerability in the widely used Java logging library Apache Log4j, disclosed in late 2021. Through crafted strings in log messages, an attacker could execute arbitrary code on the server (remote code execution). The vulnerability received the highest CVSS score of 10.0 because it was trivial to exploit and Log4j is embedded in countless applications. Log4Shell illustrates why an up-to-date software inventory (SBOM) and a functioning vulnerability management process are indispensable in your ISMS. Without an inventory, you cannot determine which systems use an affected library.