since the "new atheme" idiots are busy playing serious business security embargo games, I figured out the vulnerability for the rest of us.
they completely fucked up their mitigation of CVE-2016-4478, making it entirely pointless because THEY DID NOT UNDERSTAND PASCAL STRINGS ARE NOT THE SAME AS C STRINGS (good job guys, maximum security here)
full analysis here:
https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e#r27301897
IF YOU ARE RUNNING ATHEME CLOSE THE XMLRPC EXPOSURE BECAUSE THESE GUYS ARE TRUE MORONS THAT IS ALL
or consider rm'ing your ircd, that also works well.