Shellshock is a newly emerged major Internet threat that affects a common software tool found in many operating systems known as Bash, or Bourne-again Shell.
"The pervasive use of Bash and the potential for this vulnerability to be automated presents a material risk," the Federal Financial Institutions Examinations Council said.
The FFIEC is an interagency body that can prescribe common standards for banks that includes the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and others.
The banks should identify all their systems that use Bash and update them, and should also check third-party software, the group of regulators said.
Meanwhile Oracle Corp warned customers on Friday that more than 30 products are vulnerable to the "Shellshock" bug, including its high-end Exadata computer systems.