Well, this one is a standard exploit. A system didn’t make sure you couldn’t do malicious things

Ex a website written in Java has a text box. You know this system is logging information using log4j. You put in some text that contains a script that can do some things. The web app logs what you wrote and then log4j not having a “don’t actually do anything with this script” boundary actually goes off and does the thing

There’s a few more levels in there but that’s the gist of it

In Java (and many other programming languages) there is a concept of code libraries. These are basically packages of code for performing specific tasks that programs can include instead of the programmers for that program having to write the code themselves. log4j is one such library containing code for handling writing things to a log file. It is used by a lot of other common software around the world, particularly software that runs on servers.

One of the things you could do with it when writing things to the log was to include what was essentially instructions in a special format within the text you want written, which would then be replaced in the file by whatever text or value log4j got by following those instructions. This useful for a lot of entirely non-malicious things.

The exploit arose when someone found out that by writing specific things in this special format, they could get log4j to connect to an external server of their choice and download new code to execute from it. Getting the targeted computer to run code that you wrote yourself is basically the end-goal of hacking, since that code can then start to do things that you need to gain further control over the target.

Because many many applications write user input to log files among other things, the exploit could be initiated by something as simple as including this malicious piece of specially formatted text in something you say in a chat or send in a message.