You don't have to be authenticated, you just have to be able to reach the router's web-based management portal.
I would expect this kind of sh1tty code (easily exploitable) and wrapped in an equally cheap-n-nasty IoT product from some eastern Asian country.
I was not expecting this sort of
code exploit to be in an expensive product made by a multi-billion dollar company called Cisco. Makes me think out aloud if Cisco actually sub-contracted the code from some the same east Asian country (and not bother checking)?
Another thing, Cisco own Talos. So Cisco (and Talos) didn't bother checking on their own product and it took an outside security firm to spot this?
Is it April 1 already?