CVE-2014-6271: Shellshock Bash Vulnerability Explained, Exploit, and Mitigation
A CVSS 10.0 flaw in GNU Bash present for 25 years that executes commands injected into environment variables. Any CGI endpoint invoking Bash became an unauthenticated RCE vector reachable via a single HTTP request.
CVE-2014-6271, known as Shellshock, is a remote code execution vulnerability in the GNU Bash shell discovered in September 2014. The flaw had existed in Bash's source code for approximately 25 years undetected. It scores CVSS 10.0 — the maximum — because it is remotely exploitable without authentication, requires no user interaction, and provides complete system compromise on any server where Bash processes attacker-controlled input.
The most common exploitation path is through CGI-based web applications. Web servers pass HTTP request headers as environment variables to CGI scripts. If those scripts invoke Bash, the malicious header executes arbitrary commands as the web server process user. Mass exploitation via automated scanning tools began within hours of public disclosure. An estimated 500 million systems were vulnerable — Linux servers, macOS systems, network appliances, and embedded devices.
How Shellshock Works: Function Injection via Environment Variables
GNU Bash evaluates function definitions stored in environment variables at shell startup. A function is defined with the syntax: `VAR='() { commands; }'`. The Shellshock flaw is that Bash does not stop parsing after the closing brace — it continues executing any commands that follow. Setting an environment variable to `() { :;}; malicious_command` causes `malicious_command` to execute every time a new Bash process starts with that variable in its environment.
Web servers executing CGI scripts pass HTTP headers directly as environment variables. The HTTP_USER_AGENT header becomes the HTTP_USER_AGENT environment variable. An attacker sets User-Agent to a Shellshock payload — such as a reverse shell command — and the server passes it to Bash as an environment variable. When the CGI script invokes Bash, the embedded command executes with the web server's process privileges. No authentication is required. No prior interaction with the server is needed.
Identify CGI endpoints invoking Bash
Scan for web servers exposing CGI scripts. Any endpoint returning /bin/bash or /bin/sh in server-side scripts is a candidate. Automated tools scanned the entire internet within 24 hours of disclosure.
Send malicious HTTP header
Send an HTTP request with a Shellshock payload in the User-Agent, Referer, Cookie, or any other header that the server passes as an environment variable to CGI scripts.
Command executes on server
The web server forks a Bash process to execute the CGI script. Bash starts, evaluates the malicious environment variable, and executes the injected command with the web server process's privileges (commonly www-data or apache).
Deploy persistent access
Common first-stage payloads include reverse shells, cron job additions, IRC bot installation, and web shell deployment. Attackers establish persistence before pivoting to further exploitation.
Scale of Exploitation and Non-Web Attack Vectors
Within 24 hours of disclosure, botnet operators were mass-scanning internet-facing CGI endpoints. The QBot botnet was among the first to weaponize Shellshock for automated recruitment. DHCP clients also represent an attack vector — a rogue DHCP server can inject Shellshock payloads through the hostname or domain options passed to client-side scripts. SSH ForceCommand restrictions that invoke Bash can be bypassed. Git repository post-receive hooks using Bash are exploitable if they process untrusted input.
Network appliances and IoT devices running embedded Linux with Bash presented a long-tail problem. Many had no available firmware update and remained vulnerable indefinitely. These devices became persistent footholds in enterprise networks — compromised by automated Shellshock scanners and never remediated because the devices themselves were never inventoried.
“This vulnerability is potentially the largest security flaw discovered in years. Any system, device, or application relying on Bash to process requests from users could be vulnerable to remote code execution.”
— US-CERT Alert TA14-268A, September 2014
Patching and Detecting CVE-2014-6271
The initial Bash patch released September 24, 2014 was incomplete — the bypass CVE-2014-7169 was published the same day. Complete remediation requires the full patch series addressing CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
Update Bash on all systems via package manager
On Ubuntu/Debian: apt-get update && apt-get install bash. On RHEL/CentOS: yum update bash. On SUSE: zypper update bash. Verify the complete fix with: env x='() { :;}; echo VULNERABLE' bash --norc -c 'echo test'. A patched system returns only 'test'.
Apply to embedded and network devices
Routers, NAS devices, printers, and IoT devices running embedded Linux with Bash require vendor firmware updates. Identify all such devices in your environment and check vendor advisories. Devices with no available update should be network-isolated.
Audit CGI applications and migrate where possible
Identify all CGI scripts invoking Bash and consider migrating to Python, Perl, or PHP interpreters. As a defense-in-depth measure, WAF rules blocking the () { :;} pattern in HTTP headers stop the most common exploitation path.
Search for Shellshock compromise indicators
Check web server access logs for User-Agent, Referer, or Cookie values containing '() {'. Examine cron entries, /tmp/ and /var/tmp/ for unexpected files, and auth logs for new user accounts created around September 2014.
The bottom line
Shellshock is a foundational example of how a single parsing flaw in a ubiquitous Unix component becomes a category of vulnerability affecting hundreds of millions of systems simultaneously. GNU Bash was the default shell on virtually every Linux system and macOS. CGI was the dominant server-side scripting mechanism for a generation of web applications. The intersection created an attack surface of extraordinary breadth reachable from any HTTP client.
The bypass CVEs (CVE-2014-7169 and companions) published the same day as the original advisory highlight a recurring pattern: initial patches for complex parsing vulnerabilities are frequently incomplete. Always verify that your remediation covers the complete vulnerability family, not just the lead CVE.
Frequently asked questions
What is CVE-2014-6271 (Shellshock)?
Shellshock is a CVSS 10.0 vulnerability in GNU Bash where function definitions stored in environment variables execute any commands appended after the closing brace. Any service that passes attacker-controlled data through environment variables into a Bash process — primarily CGI scripts — is remotely exploitable without authentication.
How serious is Shellshock?
Maximum severity — CVSS 10.0. A single HTTP request with a malicious User-Agent header achieves unauthenticated RCE on any server running a CGI script that invokes Bash. Roughly 500 million systems were vulnerable at disclosure. Mass exploitation began within 24 hours.
Was CVE-2014-6271 exploited in the wild?
Yes, immediately. Botnets, worms, and automated scanning tools exploited CGI endpoints within hours of disclosure. Nation-state actors and criminal groups both weaponized Shellshock. Exploitation continued for years on unpatched embedded devices.
Is Shellshock still relevant today?
Embedded devices and legacy systems with no update path may still run vulnerable Bash. Any internet-exposed CGI endpoint that was not patched in September–October 2014 has likely been compromised and may still host backdoors placed a decade ago.
How do I patch CVE-2014-6271?
Update the bash package via your distribution's package manager and verify with: env x='() { :;}; echo VULNERABLE' bash --norc -c 'echo test'. A patched system only returns 'test'. The initial day-one patch was incomplete — ensure CVE-2014-7169 bypass patches are also applied.
Are there related Shellshock CVEs?
Yes. CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 are bypass and related vulnerabilities that required additional patches after the initial fix. Complete remediation requires all of these addressed, not just CVE-2014-6271.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.