Where it might not be possible to get SSL private keys directly via heartbleed. Is there not also the possibility of exposing reused credentials or something that exposes a further exploit that could provide root access or similar to a server, allowing the retrieval of these keys?

It may not be possible in this clean minimal install, but in a real production environment, it should still be treated as a threat?