The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in versions prior to 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability.
60407736f7e1de1519b05fc55add0932a67fcd3d6570595d9a8476a3162c5651
Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.
a3a633df95163ac8abfd1b19d769fa3b73f2a1713b3feb2b4d0ff3be073861e7