Thank you for the response, I was attempting to NOT have to make assumptions. You understand my confusion given the difference in wording between the two CVEs. Did the team doing analysis of the IOActive research CONFIRM no GUI authentication is necessary?
Restricting GUI access via ACL is a given, however it only reduces the attack surface. ACL + strong GUI password policy would be better... if the authentication matters.