![This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, one of China's last "volunteer hacker" groups maintains a final outpost in its patriotic hacking war. (Photo by NICOLAS ASFOURI / AFP) / TO GO WITH China-hacking-security,FOCUS by Laurie Chen / The erroneous mention[s] appearing in the metadata of this photo by NICOLAS ASFOURI has been modified in AFP systems in the following, we removed the HOLD HOLD HOLD in the main caption. Please immediately remove the erroneous mention[s] from all your online services and delete it (them) from your servers. If you have been authorized by AFP to distribute it (them) to third parties, please ensure that the same actions are carried out by them. Failure to promptly comply with these instructions will entail liability on your part for any continued or post notification usage. Therefore we thank you very much for all your attention and prompt action. We are sorry for the inconvenience this notification may cause and remain at your disposal for any further information you may require. (Photo by NICOLAS ASFOURI/AFP via Getty Images)](https://media.cnn.com/api/v1/images/stellar/prod/210621154549-hackers-keyboard.jpg?q=x_0,y_131,h_1419,w_2523,c_crop/w_850)
US cybersecurity officials on Friday issued an “emergency directive” ordering all federal civilian agencies to quickly address a critical software flaw that is impacting big tech firms around the world.
The order from the US Cybersecurity and Infrastructure Security Agency gives federal agencies until December 23 to document internet-facing installations of the software on their networks and report data back to CISA. It also tasks agencies with comparing the vast public list of software products that use the Log4J vulnerability with the software running on agency networks.
It’s one of the most urgent steps yet that the Biden administration has taken to address the flaw in so-called Log4J software, which US officials said this week could affect hundreds of millions of devices around the world.
CISA officials said this week that no federal agencies have been hacked using the vulnerability, but the emergency order is an effort to make sure of that by gathering much more data on federal agencies’ exposure to the issue.
Big tech firms from Amazon Web Services to IBM have raced to address the vulnerability in their products and published guidance on how to fix the flaw to their customers.
The order goes further than a previous CISA directive as it requires agencies to address instances of Log4J that are not just directly exposed to the internet but could be deeper in agency networks.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” CISA Director Jen Easterly said in a phone call with industry executives on Monday.
Overnight Wednesday, the US Patent and Trademark Office night shut down external access to its computer systems for 12 hours due to “serious and time-sensitive concern” around the vulnerability.
Microsoft warned this week that hackers linked with China, Iran, North Korea and Turkey are exploiting the vulnerable software.
The Pentagon is taking “rapid action right now to identify and mitigate the Log4J vulnerabilities by monitoring for malicious cyberactivity and directing mitigation against potential exploitation,” press secretary John Kirby said Friday.
The Pentagon, he added, continues “to work with Cybersecurity and Infrastructure Security Agency, CISA, on a whole of government response.”
This story has been updated with additional details Friday.
CNN’s Michael Conte contributed to this report.