Personal Fav. #3:
Auth bypass + WAN web interface
ç
No interaction required from victim admin
ç
Usually simple to exploit. i.e.:
¼
knowledge of “authenticated” URL
¼
Replay request that changes admin setting
ç