"At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK," the researchers note, highlighting that sedexp is an advanced threat that hides in plain site.
These rules contain three parameters that specify its applicability (ACTION== "add"), the device name (KERNEL== "sdb1"), and what script to run when the specified conditions are met (RUN+="/path/to/script").
Sure, but this isn't a privilege escalation, this requires privilege escalation, and it merely installs a backdoor that preserves that privilege.
It's like installing something in cron or systemd, it's not a vulnerability in itself, but it can allow an attacker to add a backdoor once they exploit a vulnerability once.