In my previous post I made the remark that the telnet interface for my Netgear router does not require credentials. As such, you already have full root access the moment you connect.
After some digging I found that the web interface credentials are not encrypted at all. The contents of the /etc/passwd file are readable by the (Telnet) “nobody” user, with full access. Example output:
~ # whoami
~ # cat /etc/passwd
There is no /etc/shadow file.
This means that anyone on the local subnet (connected via Wifi at a coffee shop for example) can enable Telnet, and get the password for the web interface.
This is the latest firmware (version V22.214.171.124_1.0.21WW) available for this router.