I recently ran into this with mremote-ng, a windoze software client for ssh and remote desktop use, so like something mostly system administrators would use was still using an ancient vulnerable log4net, a variation of log4j with the same vulnerabilities. My FortiClient EPP software noticed it to alert, luckily I had some enterprise security to do so, but how many others do not?
Looking up the software project's github to post an issue, someone else with the same alert from FortiClient told them years ago, and they closed it, telling someone to get the "nightly" version vs. the ancient and non-updated main app from the website that you know, 99% of people including myself would just download to use. I opened a new ticket asking them patch the main version ffs too, and finally did after some nagging and public shaming, but by this point I already uninstalled it, cursed having to use anything like that on windoze in the first place.
Anything on windoze, particularly 3rd party software I imagine is all a rats nest of vulnerable dependencies that never get updated. I use windoze for anything as little as possible for that reason alone, usually only keeping it around as my visio runtime.