The vulnerability is due to bad handling of LDAP responses when the latter is being used for External Authentication. The bad actor can run the exploit by creating a crafted HTTP requests effectively bypassing authentication and getting administrative privileged access to the Web GUI.