Yes, except that none of the major hosting providers who host on behalf of thousands of clients (pantheon, acquia, etc) were able to find any examples in their logs of an attack signature prior to the disclosure. Just like shellshock has been sitting around for 25 years until somebody found it, it is highly unlikely that this vulnerabilty has been exploited prior to that, despite the fact that it was 'possible'.