The Apache Log4j Remote Code Execution is used in everything from webcams to navigation apps, but contains a critical flaw which could give cyber criminals password-free access online systems, allowing them to access data and even plant malware.

A week ago the Australian Cyber Security Centre (ACSC) issued an alert about Apache Log4j, and on Wednesday it publicly confirmed the vulnerability is being actively exploited in Australia.

"We know that malicious online actors are scanning networks in attempts to locate vulnerable servers, so it's critical that Australian organisations act, and act fast," Assistant Defence Minister Andrew Hastie said.

The vulnerability has sent companies and other organisations scrambling to install patches to protect against malicious intrusions into their IT.

Victoria's education department even had to warn kindergartens and childcare centres, telling them late on Friday to be on the alert "for any strange computer or application behaviour".

The alert may be of particular concern given that early childhood centres store confidential, sensitive information regarding young children.

Early childhood centres have been told to notify IT if they notice anything strange - but many do not have their own IT technician, and have been given a department phone number instead.

Technicians have been advised to disconnect vulnerable servers and computers from the internet.

Kindergartens and childcare centres that have already closed for the Christmas break have been told to contact the department's hotline immediately.

Australian Associated Press