Okay, a pre-auth vulnerability is a plausible option I didn't consider; you are right.