In September 2014, a 25-year-old piece of code in one of the most widely deployed pieces of software on the planet turned out to let attackers run arbitrary commands on millions of servers with a single crafted HTTP header. The Shellshock vulnerability — tracked primarily as CVE-2014-6271, with a cluster of related follow-on CVEs — affected GNU Bash, the default command shell on the vast majority of Linux and Unix systems, as well as macOS at the time. Because Bash sits underneath CGI scripts, SSH forced commands, DHCP clients, mail servers, and countless embedded devices, Shellshock was rated as severe as vulnerabilities get: CVSS 10.0 under CVSSv2, trivial to exploit, requiring no authentication, and reachable remotely over the network in an enormous number of real-world deployments. Within 24 hours of disclosure, honeypots and IDS telemetry showed mass internet-wide scanning and exploitation, and Shellshock has remained a fixture of botnet and worm toolkits ever since.
What Shellshock actually was
Bash allows environment variables to carry exported shell functions. The parser responsible for importing these functions had a bug: after parsing a function definition stored in an environment variable, Bash continued executing any trailing text that followed the closing brace as shell commands, rather than discarding it. An environment variable that looked like this:
() { :; }; echo "vulnerable"
would cause Bash to run echo "vulnerable" the moment a new shell was spawned that inherited that variable — no shell invocation by the attacker required, no login, no authentication. All that was needed was a way to get an attacker-controlled string into an environment variable that Bash would later parse.
That "way in" turned out to be everywhere. The canonical attack path was CGI: web servers implementing the Common Gateway Interface pass HTTP request headers (User-Agent, Referer, Cookie, and others) into environment variables before invoking a script, and if that script — or the interpreter running it — was Bash, or Bash was invoked as a subshell anywhere in the request path, the payload executed with the privileges of the web server. Beyond CGI, researchers and attackers quickly demonstrated exploitation via OpenSSH's ForceCommand and AcceptEnv directives, DHCP clients that set environment variables from DHCP server responses, Qmail and other mail transfer agents, Git and Subversion hooks, and various embedded/IoT management interfaces built on BusyBox-adjacent or full Bash environments.
Affected versions and components
Shellshock affected GNU Bash versions 1.14 through 4.3 — effectively every Bash release in general use since 1989, prior to the emergency patches issued in September 2014. It was not a Linux-distribution-specific bug; it was upstream in Bash itself, which meant every distribution that shipped Bash was exposed: Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, SUSE, Amazon Linux, Apple's OS X/macOS (which shipped Bash as the default shell through Mavericks and Yosemite), and a long tail of network appliances, routers, NAS devices, and IoT firmware that embedded Bash rather than a minimal shell like dash or ash.
Because Bash is a base-layer dependency, the practical blast radius extended to anything built on top of it: Apache mod_cgi and mod_cgid deployments, PHP applications invoking shell commands through system()/exec() on a Bash-backed shell, DHCP clients (dhclient), OpenSSH servers with restrictive command configurations, CUPS printing services, and virtualization/appliance management consoles that shelled out to Bash for configuration tasks.
CVSS, EPSS, and KEV context
- CVE-2014-6271 — the original and most severe flaw, CVSS v2 base score of 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) — unauthenticated, network-exploitable, complete compromise of confidentiality, integrity, and availability.
- CVE-2014-7169 — the initial patch for CVE-2014-6271 was incomplete; this follow-up CVE covered a related file-creation/command-injection bypass discovered almost immediately after the first fix shipped.
- CVE-2014-7186 and CVE-2014-7187 — out-of-bounds memory access issues in Bash's parser (heap buffer over-read and array index errors) found during the deeper audit that followed the initial disclosure.
- CVE-2014-6277 and CVE-2014-6278 — additional memory corruption and code-execution issues identified by Florian Weimer during a more thorough Bash parser review, addressed in later patch rounds.
Given its unauthenticated, network-reachable, wormable nature, Shellshock's EPSS score has sat consistently at or near the top of the scale (effectively saturated near 1.0/100th-percentile) since EPSS scoring existed, reflecting the fact that exploitation isn't hypothetical — it is continuously observed in the wild. Shellshock (CVE-2014-6271 and companions) is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which for federal agencies and KEV-tracking organizations makes remediation mandatory rather than optional. Any vulnerability scanner or SCA tool that maps EPSS/KEV context should flag Bash instances at pre-patch versions as a "patch immediately" finding regardless of how the asset appears to be exposed on paper — attackers have had over a decade to find indirect paths to trigger it.
Timeline
- September 24, 2014 — Stéphane Chazelas discloses CVE-2014-6271 to the Bash maintainers and distribution security teams; public advisory and initial patches ship the same day.
- September 24–25, 2014 — Within hours, mass internet scanning begins. Honeypots record automated exploitation attempts against CGI endpoints globally; the first working worm payloads and botnet integrations (including variants later associated with the "Mayhem" and Kaiten-derived malware families) appear almost immediately.
- September 25, 2014 — CVE-2014-7169 is disclosed after researchers show the original patch is incomplete and a bypass exists.
- September 26–27, 2014 — Distribution maintainers race to ship a second round of patches; Akamai, Cloudflare, and other edge providers roll out WAF rules to blunt exploitation while patches propagate.
- Late September–early October 2014 — Florian Weimer's deeper parser audit surfaces CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, prompting further patch releases (Bash 4.3 patch levels continuing through at least patch 27).
- October 2014 onward — Shellshock exploitation becomes a persistent background feature of internet scanning traffic; unpatched CGI endpoints, embedded devices, and forgotten legacy systems continue to be exploited for years afterward, and Shellshock scan signatures remain some of the most common patterns seen in IDS/WAF logs a decade later.
Remediation
- Patch Bash immediately. Update to a Bash release that resolves all six CVEs in the Shellshock cluster (distribution security advisories reference the correct patch level for each release; on RHEL/CentOS/Debian/Ubuntu this means applying the vendor-backported fix, not just "any newer Bash"). Verify the fix rather than trusting the version string — run the classic test:
A patched Bash prints onlyenv x='() { :;}; echo VULNERABLE' bash -c "echo test"test; a vulnerable one also printsVULNERABLE. - Inventory every Bash instance, not just servers. Check network appliances, NAS devices, printers, DHCP clients, container base images, and CI/CD runners — anywhere Bash is present as a dependency, even indirectly through a base OS image.
- Rebuild and redeploy affected container images. If Bash was baked into a container base image at build time, patching the running host does nothing; the image itself must be rebuilt from an updated base and redeployed.
- Harden CGI and shell-invoking code paths as defense in depth. Where legacy CGI scripts can't be immediately retired, restrict which headers get passed into the environment, run CGI handlers with least-privilege service accounts, and prefer
dash/ash/POSIXshover Bash for scripts that don't need Bash-specific features. - Deploy WAF/IDS signatures as a stopgap, never as the fix. Rules matching the
() { :; };pattern in headers buy time during patch rollout but are trivially bypassed with encoding tricks and should not be treated as a substitute for patching. - Audit for post-compromise indicators on any host that was internet-facing and unpatched between September 2014 and its eventual patch date — cron jobs, SSH authorized_keys, and outbound C2 traffic are common artifacts left by opportunistic Shellshock worms.
How Safeguard Helps
Shellshock is the textbook argument for why vulnerability management can't stop at "a CVE exists in my SBOM." Safeguard's SBOM generation and ingest pipeline surfaces every Bash instance across your fleet — including the ones buried in base container images, embedded firmware manifests, and forgotten CI runners — so nothing gets missed in an inventory sweep. From there, Safeguard's reachability analysis determines which of those Bash instances are actually invoked through an exploitable path (a CGI handler, an SSH ForceCommand, a DHCP hook) versus installed but never triggered, letting teams prioritize the handful of genuinely exploitable instances instead of chasing every match in a scan report. Griffin AI, Safeguard's reasoning engine, correlates that reachability signal with CVSS, EPSS, and KEV status to explain in plain language why a given finding is urgent and what the real-world attack path looks like. When a fix is available, Safeguard can open an auto-fix PR that bumps the affected base image or package pin directly in the repository, turning a decade-old but still-active threat into a same-day remediation instead of a lingering audit finding.