According to the companies, the bug, which is disguised in an obscure piece of server software called Log4j, has spurred inquiries into the scope of the problem at Amazon.com Inc., Twitter Inc., and Cisco Systems Inc. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a vulnerability advisory and advised companies to take action.

Considering the bug is simple to exploit and attacks are difficult to stop, the Log4j flaw might be used by hackers to break into company networks for years to come, according to Aaron Portnoy, chief scientist with the security firm Randori.

The flaw allows hackers to convert log data that keeps track of what consumers do on computer servers into harmful instructions that cause the system to download unlicensed software, giving them a foothold on a victim's network.

As Log4j is offered for free, it's unclear how many servers are affected by the bug, but the logging software has been downloaded tens of thousands of times, according to Mr. Goers.

This is not the first time the open-source software has generated security concerns. In 2014, web users all across the world were asked to change their passwords after another vulnerability was discovered in OpenSSL, an obscure but widely used piece of web software program created by volunteers.

Last week, hackers began exploiting the latest flaw to get access to servers running Microsoft's Minecraft gaming software, according to researchers. However, they rapidly observed widespread scanning and attempted to propagate the Log4j bug over the internet.

Microsoft advised Minecraft users to update their software to fix the flaw.

Cas van Cooten, a Dutch researcher, claimed to have discovered the bug in Apple Inc.'s servers, giving him access to Apple's operating system. Mr. van Cooten added that he immediately notified Apple of the problem.

Another researcher, Carson Owlett, said that consultants working with his security firm, Black Mirage LLC, were able to detect the problem on programs hosted by a variety of companies, including Twitter and LinkedIn, all of which are owned by Microsoft.

Since servers log everything from email addresses to internet navigation requests, these attempts might provide attackers a foothold on a vulnerable server deep within company networks, according to Ryan McGeehan, an independent security consultant who was previously a director of safety at Facebook.