The default JVM can access files and directories under /tmp/ including the $TemporaryDirectory of other users on the same cloud instance (/tmp/UserTemporaryFiles/). The -init file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared /tmp/ space can preemptively create or replace .jar files or directories (via the -init file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., commons-io) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attackers code.