[sdbryan]

Why is this tabloid journalism featured in HN? Nowhere in the article is there any indication how root access could be obtained. There should be at least some description how privilege escalation could occur. I don't want arbitrary code executing but that is a long way from root access. Even for shell access the attacker needs the user's name and password. Does the target just offer them?

[nbpoole]

You don't need a username and password for shell access if the application has a vulnerability that allows for arbitrary code execution. Your code just executes as the same user as the application. To elevate your privileges, you would need to use a separate vulnerability once you have shell access.