Good question. ...According to the guy, who discovered this issue, physical access is required.
However, Apple details (at the Support Page linked below) that root user is
disabled by default; but, if one logs in to one's Mac using an administrator account, one could enable the root user, then log in as the root user to complete a task. ...Again, I'm not sure is this could be done remotely (with administrator login password).
Here's
Apple's root PW Instructions Regardless, setting a root user password (a
strong & unique one) would defeat this security issue. (My unique, root PW is a 13 alpha-numeric-character PW I'll never remember; so, I saved it to 1PW.)
I used the "Change root password" method within System Preferences (
as iMore detailed wherein they advised keeping "Enable root user" - after setting root password - since subsequently disabling will delete the just-initiated password). Done.