I don't doubt this has happened but also just as likely they did know about it but some dumbass product owner decided it wasn't a high priority until someone external reported it. My company has hundreds of similar (not just security) issues just lying around.