1. Pick a router, download the firmware, extract the filesystem
2. Search all executables/libraries/scripts for curl -k, wget --no-check-certificate, and variations thereof (curl_easy_setopt etc)
Attackers can intercept those connections
3. See how the response is handled. I've seen:
- custom json parsers memory corruptions
- stack buffer overflows
- straight up executing the response as a script
- command injection from some response parameter
You're practically done. Routers often have most mitigations disabled, so exploits should be a walk in the park.
Obviously there are other (harder?) techniques.
- Firewall bypass/Internet exposed services
- UDP response forging
- Custom kernel modules
- Packet inspection/custom nftables modules