The strongest version of this narrative is that a legitimate security vulnerability was responsibly disclosed, acknowledged, and patched by the vendor. The researchers followed ethical disclosure practices, and the vendor responded appropriately, albeit with some delays in the on-premise fix. The vulnerability itself is a clear example of inconsistent security controls—where one part of the system (KLA) enforces account lockout while another (WebUI) does not. This inconsistency could lead to una...