Wow I’m glad I happened to see this here. Thank you for the post. I was just thinking about putting all my services behind a VPN too, I think I’m going to go ahead and put that at the top of the list…

I don't think a vpn would help here

Exploiting this vulnerability requires access to the service which wouldn’t be possible if it was behind a vpn

Unless it was the software package itself that was compromised.