The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.
The vulnerability assumes one of the RPCs (REST or SOAP) is enabled. As both are enabled by default, and one of them is actually required by the system, this assumption will not be a problem in the absolute majority of installations.
In this document I will use the SOAP API, as XML is more readable in this case.
This vulnerability works on both the Community Edition and Enterprise Edition of the system.