Shellshock is a remote command execution vulnerability in BASH. The vulnerability relies on the fact that BASH incorrectly executes trailing commands when it imports a function definition stored into an environment variable.
Threat actors exploiting the vulnerability can issue commands remotely on the target host. While BASH is not inherently Internet-facing, many internal and external services such as web servers do use environment variables to communicate with the server’s operating system. If those data inputs are not sanitized before execution, attackers may launch HTTP request commands executed via the BASH shell.