And yet it is an ARI hack. So if putting on the table ARI allowed no auth access, which it shouldn’t and thus would be a bug, then Asterisk not hearing about this for the last 3 weeks (since this was reported) is kind of relevant. This would fall under a security flaw and a security release of the current version (ala 18.16.1 or 20.0.1) would be released to fix it.
In other words, Asterisk bugs impact all users of Asterisk, including FreePBX users. FreePBX bugs only impact FreePBX users or those deriving from FreePBX.