Cybersecurity researchers from Trustwave’s SpiderLabs have discovered multiple security vulnerabilities in some router models from two popular manufacturers. The flaws involve insecure storage of credentials, potentially affecting every user and system on that network. The first vulnerability resides in the dual-band D-Link DSL-2875AL wireless router, where a file located at https://[router ip address]/romfile.cfg contains login password of the device in plaintext and can be accessed by anyone with access to the web-based management IP address, without requiring any authentication.
Source: https://thehackernews.com/2019/09/router-password-hacking.html