Whether local access to a system was lawfully granted, whether the af alg module was probed, whether page cache in memory was corrupted, whether su binary on disk was modified, whether other users could access su after the intervention, what the terms of services were. Whether information from other users was accessed, whether the server is private or government related, whether the vuln was actually present, what actions were taken in notifying the server owner if the vuln was present etc..

To claim that X is illegal without regard for any of these variable facts is unlikely to hold generally.

Additionally, as a plaintiff I would be looking at a civil claim, so that would be my concern when evaluating defendant liabilities as well.