It can potentially be exploited via anything that shells out to bash with an environment that contains environment variables with values (that ultimately comes from) an untrusted source.

mod_cgi is just one of the most obvious attack vectors.

Any software where adversary-controlled input can set environment variables which then execs bash is affected. mod_cgi is just really easy to exploit.