Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?

I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"