Knowing that there is a vulnerability might motivate them to look for it, but given the size of the software, I doubt they'll be able to find it without knowing more.
You'd be surprised; on Windows, at least, there are people who reverse engineer the security patches from Microsoft in order to determine the initial vulnerability[1].
Because there are enough people running Windows who haven't applied the patch that figuring out how to exploit it is a worthwhile undertaking.
Then again, IME of many years as a PostgreSQL DBA, the vast, overwhelming majority of postgres shops aren't running anywhere near the latest release, so depending on how far back this vulnerability goes, there could be a very large number of exploitable targets...
The knowledge may also motivate them to prepare for attacks to be executed once the vulnerability is public but most instances do not have it patched. Scan the Internet for PG backed applications, identify high profile ones, prepare automatic scripts, etc.
[1] http://www.phreedom.org/presentations/reverse-engineering-an...
Edit: Misinterpreted your post. You're right, it's unlikely that they'll guess where it is until a patch comes out.