From my understanding, it's only on the user end of things. The Active-X allows extra commands to operate without the users interaction. Personally on my computers, Active-X is disabled on all sites unless I gives specific access to a site I trust.
I don't believe the exploitation flows back to the server (unless the script loaded up a dDOS script to go after the serving page or something.