There is evidence that this is being exploited in the wild.
Nginx and Apache servers using mod_cgi are two potentially vulnerable services.
The risk is that it is possible to modify environment variables which then could allow the execution of arbitrary code with the permissions of the parent process.
An example attack:
Over at the Internet Storm Center http://isc.sans.org/ they have been updating their advisory and and a have a simple one-liner to test if a system is vulnerable.