The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack. Indeed, this one is nasty. Fortunately, most Linux systems I know of have /bin/sh linked to /bin/dash and hence are not vulnerable.
In light of this, I think it is about time we retire the shell-script wrappers from Xymon. I have written a replacement which is now checked into the 4.3.18 branch.
There is a preliminary release of 4.3.18 available on https://www.xymon.com/patches/ - feel free to try it out. I will release 4.3.18 over the weekend unless I find some problems with it.
NOTE: Replacing the shell script wrappers means that the cgioptions.cfg file is no longer processed as a shell script. The new wrapper works fine with the default version of cgioptions.cfg, but it you have modified it in a way that it relies on being processed by a shell, then it will break.
Regards, Henrik