I suspect client developers are also affected at least to the extent that they need to explain this RCE to CVE driven management.