The vulnerability appears to exist in the changelevel rcon command and does not require a valid rcon password.