Some meme worthy vulnerabilities like unauthenticated root ADB access, don’t worry its not enabled by default. But the request to enable it doesn’t require authentication.

On :7777 luci_server is running, it has a custom binary protocol but there is a GETPASS command that doesn’t require authentication and can be used to retrieve the password.

The same service has various READ_ commands that can be used to read device config values without authentication. Including things like wifi pass.