TOTOLINK/Realtek Routers - CAPTCHA Bypass

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via a POST request to the boafrm/formLogin URI with the JSON payload "topicurl":"setting/getSanvas". This allows an unauthenticated attacker to bypass CAPTCHA verification, gaining unauthorized access to restricted...