Eight months after the discovery of Log4Shell, the American Cybersecurity and Infrastructure Security Agency declared that “the Log4j event is not over and is an endemic vulnerability that will remain in systems for many years to come, perhaps a decade or longer”. Although experts can provide proof of exploitation, the impact on a large scale is unknown because organizations do not share or even collect such information.
The full report: cisa.gov