U.S. cybersecurity officials have ordered federal agencies to protect their systems against a major computer vulnerability by Christmas Eve, reports the BBC. The Cybersecurity and Infrastructure Security Agency (CISA) set the deadline for security patches to tackle Log4shell, one of the most serious security flaws in the past decade. CISA head Jen Easterly has called it “a severe risk.” Separately, Microsoft has warned some nation-state hacking groups are using Log4shell. “Multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey” were using the vulnerability, the company said, for activities ranging from “experimentation” to targeted attacks. CISA added it to the “Known Exploited Vulnerabilities Catalog” a list of common security flaws that carry significant risk to the federal organizations. The agency said federal civilian executive-branch agencies must “mitigate” the problem – with IT systems patched with new software – by Dec.24. A particular concern with Log4shell has been the ease with which it can be used. Security company Crowdstrike said it was “trivial” to exploit. In the past four months, Log4J, the code containing the flaw, has been downloaded 84 million times from the largest public repository of open-source Java components, according to security company Sonatype. Millions of computers running online services use it for logging or recording events. “For example, when you buy something online, your username might be written to a log file for later processing,” Cloudflare’s chief technical officer John Graham-Cumming said. “Unfortunately, a flaw in Log4j meant that by using special characters in data that is logged, it is possible to get a machine inside a company to run code that an attacker controls. “This gives them a foothold inside what would normally be a secure, protected computer.” Cloudflare, which provides internet security and other services meant to help online businesses operate smoothly, told BBC News it had blocked 1.3 million attempts to use Log4shell in just one hour, on Tuesday. Updates protecting against the flaw have been issued. The U.K.’s National Cyber Security Centre has called on companies to “urgently” follow its advice on mitigating the problem and “install the latest updates immediately wherever Log4j is known to be used.” But security news site SC Media reported experts “estimated months to years of finding new instances of this vulnerability across enterprises and vendors.”