A critical security Exploit has been discovered in the multiplayer version of Minecraft, which includes servers and clients running versions of Minecraft as far back as 1.7.

Mojang has not officially provided any specifics about the exploit but advises players not to play any versions before Minecraft 1.17 for the time being. If you're using vanilla launcher restarting the game's launcher should download a fix for the vulnerability, fixing Minecraft versions 1.12 through 1.18. Versions prior to Minecraft 1.12 may still be vulnerable. The exploit is related to Log4j, before version 2.15, which can be found in the Minecraft client and server.

Any Minecraft server running a vulnerable version of Log4j is susceptible to having an attacker remotely run the downloaded code on a user's computer, which may allow the attacker to gain access to the device. The vulnerability lies in Log4j which allows connections to be made to arbitrary URLs, which may then download malicious code to a user's computer.

ExtremeCraft already patched the issue, but you should be sure you're running Minecraft 1.17 or higher, update your Launcher, or both.

As a temporary workaround before the release of 1.18.1, Mojang advises disabling the lookup feature of Log4j using a JAR argument when starting the game (enabled by default when you update your Launcher): -Dlog4j2.formatMsgNoLookups=true