Although it can be exploited in some cases, the good news is that not all implementations can be exploited, and only certain services and applications allow a hacker to exploit this issue. Please see our article on Naked Security for an explanation of the vulnerability itself.

In addition, we have examined our products and we are confident that the Shellshock vulnerability can’t be exploited in any Sophos product. Our IT systems have also been patched or were not vulnerable. For the latest information on how this bug affects Sophos products, please refer to our knowledgebase article from Sophos Support. 

You can read the original article, here.