The vulnerability stems from the su command's insecure search path, which includes the current working directory (.). When su is invoked, it searches for executables in the current directory before other system paths. This allows an attacker to place a malicious program, named the same as a program su might execute (e.g., sh, bash, or other utilities), in a directory the user controls. When a privileged user then uses su to change to another user, and that user's shell or other commands are invoked, the attacker's malicious program is executed instead of the legitimate one, gaining the privileges of the target user. The root cause is a design flaw where the search path prioritizes the current directory, creating an opportunity for Trojan horse attacks. There is no specific buffer overflow or race condition in this vulnerability, but rather a logical flaw in how the system searches for executables.