A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years. Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials. The RCEs affect 15 different products, including some with firmware that dates back to 2009. The potential for attacks is largely due to the fact that authentication comes disabled by default, meaning it’s easy for an attacker to access the configuration and settings inside the router s LAN. From there they could change DNS configuration, update the firmware, change the WiFi configuration and more.
Source: https://threatpost.com/totolink-routers-plagued-by-xss-csrf-rce-bugs/113816/