CS0942609 - raised in Feb 2021 - appeared to identify an exploit vulnerability in ACA that allows ACA security controls to be bypassed;
CS0932996 - raised in Jan 2021 - appeared to identify a failure in ACA to work with splunk binary which prevents customer from using ACA to control splunk;
these two issues are currently acting as a blocker to production roll-out for this customer.
Current estimate for fix release as communicated to us is June.
If ACA is exploitable using the technique outlined in CS0942609, then it would seem helpful to all BT PMUL ACA customers if BT were to release a hotfix to this issue immediately.