[xnull2guest]

It's worth five figures to the buyer if they can make five figures or more of value from it.

Not speculating about nation states here but 'groups': making good money from post-Auth MySql RCE not totally absurd - Amazon, Rackspace, HP, Heroku and Jelastic all offer MySql-as-a-service, where you are given low privilege (maintained, geo-redundant, etc) account access to shared MySql instance. If there's more than five digits of business value stored in that database then a five digit exploit makes sense.

Or think about any of the (poorly written) bitcoin services out there that use some default phpAdmin creds for a database that also hosts their vault.