@fredbrooker calling bull shit. Extraordinary claims require some evidence at least and saying it's embargoed is not an excuse if the researcher wants to complain about it.

RedHat and Canonical accept the existence of a registered CVE is not the same as it being accurate or correct. They don't validate findings just register reports of vulnerabilities to track.

Getting push back? You can demonstrate that without breaking an embargo but the push back is almost certainly deserved.

Speculating that it's a hard coded password? That would be an insane coup from whomever pulled it off and absolutely needs something to base it off of.