UPDATE [November 29, 2017]: Apple has released a security update for macOS High Sierra users. Original article below.
A bug in the latest versions of macOS High Sierra allows users to create a root account with no password by repeatedly pressing a button in the preferences panel.
The only way an attacker could exploit this bug is if the macOS owner left his Mac unlocked and then left his desk.
This is all an attacker needs because with a few clicks he can create a root account that he could use at a later time to access the vulnerable device. The root account can also be used to log into the vulnerable machine remotely.
These steps will create a root account on the computer with no password. An attacker could use this account at a later time to legitimately log into a victim's Mac.
The bug affects macOS High Sierra 10.13.1 and 10.13.2 Beta. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password. This blocks the bug from creating another root account.
Turkish software developer Lemi Orhan Ergin discovered and tweeted about the bug earlier today. Many other macOS users independently confirmed the issue. Apple is aware of the bug and working on a patch.