By now, everyone should have heard of the log4j RCE vulnerabilities (cve-2021-44228 and cve-2021-45046 and cve-2021-45105).
There is a opensource scanner released by CISA through collaboration with broader cybersecurity community called "Log4j Scanner".
Other than CISA, Metasploit has added a module called Log4Shell HTTP Scanner, which capable of identifying vulnerable instances via pre-determined HTTP request injection points.
Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki, Apache OFBiz.
Links:
- https://github.com/cisagov/log4j-scanner
- https://www.rapid7.com/db/modules/auxiliary/scanner/http/log4shell_scanner/
- Qualys Scanner for Windows OS - Log4jScanWin.exe