It has been discovered that you can get root permissions on a macOS system running High Sierra without any password. To test, click on the padlock in any System Preferences dialog and enter root as the username and keep the password to blank. Now click Ok (or whatever the confirmation button is) twice and you have root privileges!
This is like the worst nightmare ever, but note that the attacker needs to have physical access to the machine. Until Apple sends the patch, the easiest way to secure the system is by changing the root password as described here: https://support.apple.com/en-us/HT204012
Unfortunately it looks like the vulnerability was publicly disclosed without letting Apple know and waiting for a patch.