This document discusses vulnerabilities in embedded devices that have web interfaces enabled by default. It describes how attackers can gain unauthorized access to these devices through their web interfaces and then use the devices to probe internal networks. Several examples of authentication bypass and cross-site scripting vulnerabilities are provided, demonstrating how attackers can change device settings or escalate privileges without proper authentication. Remote and client-side attacks are discussed, along with challenges in securely accessing embedded devices that are often overlooked.