That sounds like an oversight I once exploited
Back in my student days my university had networked PR1ME computers. Each had their own distinct logins/accounts, but their filesystems all accessible from each other, like NFS or CIFS. They had a feature called "add remote ID" which was the shell command "arid", which if you provided a login/password valid on that remote system allowed you to take on the permissions of that remote user when you were traipsing through its filesystem. So far so good, nice feature and very useful if you wanted to access files between your accounts on multiple systems without leaving them world readable which would have been required without the remote ID feature.
They had things tied in with the mainframe in some way so every account was associated with a "project number" that came from the mainframe that represented your resources in dollars. As you used the system you'd consume resources and if you ran out you couldn't login and you'd have to beg the sysadmins for more. The root/Administrator equivalent on PR1ME was SYSTEM, and long before like many of us might do I had tried to login as "SYSTEM" with no password just to see what happened and found that some of the PR1MEs would say "incorrect password" but a couple that would say "no money left" or whatever the message was when there was no money allocated to the account. I didn't think much of it at the time, since there was nothing you could do with a passwordless account if it had no money.
So when I later learned about "arid" I tried adding SYSTEM on one of those passwordless systems, and discovered that usage bypassed the project number accounting stuff and let me act with root powers on that remote filesystem. I got to poke around in places I had never been able to poke, there were tools there for creating and deleting accounts and changing passwords, tools for showing how much money each account had left (but not changing it since that came from the mainframe) and so forth.
Since the system comp sci students used was pretty sluggish with everyone trying to compile our code before assignments were due I thought I could make things a lot easier on myself if I created an account on that remote system. I could do my work on a far less busy system with much faster compiling time then copy it back to the system I used to submit the work. So I did that, and I was pretty careful to always disconnect from the modem bank and reconnect before logging into my fake account, and deleting all my files after I used it, but I must have slipped up as after the semester was over I was contacted by the higher ups in the IT department and they'd caught on to what I did.
What they couldn't figure out was how, so I sort of bargained with them that I'd tell them everything in exchange for not getting banned from the computer systems (which would be kind of a problem for a CS degree) You should have seen the look on their faces when I told them how it was all caused by having no password on that SYSTEM account lol!