The Shellshock bug meant that hackers have the potential to take down more websites through denial-of-service attacks, or target unsuspecting users with malicious viruses, he warned. Kaspersky Lab declined to disclose the servers affected due to client confidentiality.
'Tip of the iceberg'
Other cybersecurity firms have also reported related attacks. London-based Digital Shadows, which tracks cyber-attacks in real time, told CNBC it had noted that the Bash vulnerability was being exploited.
Read MoreCan your fridge be hacked in the 'Internet of things'?
"Many researchers have confirmed that it should be theoretically possible to create a worm that jumps from device to device. The evidence shows this is being exploited already and in an automated way," Digital Shadows CEO, Alistair Paterson, said by email.
Downloading updates – or "patches" - is the way to protect against malicious attacks. Only a handful of developers have released Shellshock-related patches to date, and experts warned that many internet-facing devices might not have regular updates, causing vulnerability to further attacks.
"We have only seen the tip of the iceberg so far," Kasper Lindegaard, head of vulnerability intelligence specialist Secunia, said by email, adding that only the most obvious attack methods had been used so far.
- By CNBC's Arjun Kharpal