Would be ironic since OP caught an exploit that their entire team wasn't smart enough to catch... yet somehow he wouldn't know about something as basic as VPNs?
Zero chance this was an issue of an entire team not being smart enough to check - everyone who touched this would immediately understand it wasn't in the authenticated flow. This smells like bad requirements being delivered to the implementers.