Confused....
"They can be exploited by an authenticated admin user to crash the device or execute commands on the host OS as root."
An authenticated admin user is surely one who can totally brick, or destroy the device config, or run OS level commands anyway?
I have a number of RV32x's in my flock, and for a moment I panic'ed about this, then realised it isn't really a problem. The web admin page is blocked from public view anyway. Mind you, the RV32x's are being replaced when convenient with Drayteks anyway - just a shame Drayteks only have 4 wan ports.