“Spray the desired command payload enough times to increase the chance that one copy lands adjacent to apiuser.”
An uninitialized heap buffer and a missing null terminator turn into unauthenticated remote code execution on your load balancer. That’s the box sitting in front of everything else on the network, the one enterprises buy specifically because it’s supposed to be the hardened part. Spray enough garbage at an uninitialized string function and eventually it lands where it shouldn’t. If you’re running Kemp LoadMaster, this patch isn’t optional.