[throwaway3627]

You're conflating an exploit for a narrow bug target class with a malware package which likely contains one or more exploits and probably a payload. The act of exploiting requires much more than an exploit alone to have the desired effect.

[tedunangst]

What's meant is that real exploits require one to get RCE, another to break sandbox, another for privilege escalation.

[tptacek]

Also maybe an infoleak to set up the RCE.