devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Remote Code Execution

devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Remote Code Execution
devolo dLAN 550 duo+ version 3.1.0-1 suffers from a remote code execution vulnerability. The devolo firmware has what seems to be a ‘hidden’ services which can be enabled by authenticated attacker via the the htmlmgr CGI script. This allows the attacker to start services that are deprecated or discontinued and achieve remote arbitrary code execution with root privileges.