20% to 50% of webpage servers thought to be affected.
A critical vulnerability has emerged in a common component of Linux, Mac OS X and Unix, according to enterprise software firm Red Hat.
Hackers can exploit the bug in the command processor Bash without authentication, using it to access sensitive information, modify computer systems and disrupt services.
Josh Bressers, product security manager at Red Hat, told Threat Post: "It’s super simple and every version of Bash is vulnerable.
"It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable. Thankfully, it’s not common."
The National Vulnerability Database, which is sponsored by the US government, gave the bug full marks for impact and exploitability, and some have compared the flaw to the Heartbleed OpenSSL vulnerability discovered earlier this year.
Darien Kindlund, threat researcher at FireEye, said: "This bug is horrible. It’s worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic.
"Conservatively, the impact is anywhere from 20% to 50% of global servers supporting web pages. Specifically, this issue affects web servers using GNU BASH to process traffic from the internet."
The bug was originally discovered by Stephane Chazelas, an IT manager at SeeByte, which creates software for underwater vehicles and other computer systems for military and energy firms.