None of the current servers are exploiting this at the moment, however, multiplayer servers using third party plugins such as SourceMod or maps using point_clientcommand have the potential to execute any command from the server onto the client. (I think)
This is supposedly caused by the concommand flag SERVER_CAN_EXECUTE not appearing to function correctly. Meaning, servers can fire malicious client commands onto the player, which the whitelist concommand flag SERVER_CAN_EXECUTE, allowed only certain commands to be executed in the rest of the Source multiplayer games. I’ve tested this with SourceMod as well as the point_clientcommand entity.
I hope this gets resolved soon, I really don’t want to see “slow-hacking” become a problem again. Thank you.