I used to write reviews on these consumer-level network devices and in my experience they nearly all ran a root-privileged server under Linux. Inevitably they would end up having some sort of cgi interface that would take in parameters and make a "system" call to do email, change configurations, etc. It was only a matter of how much time and effort I wanted to put in to show that I could break in by screwing with the variables. They also would always have an unused telnet or ssh server that was left over from the original developers. Lesson-learned - Don't ever enable remote access for these cheap consumer devices.
Edit: Remembered an amusing case where I reported a vulnerability to a manufacturer. I reported something like "If you add an administrator's email address to the device that looks like 'myemail`reboot`@gmail.com' the box will reboot". The manufacturer got right on it and "fixed" the bug. Their fix? The new firmware had an explicit check for the string "reboot" inside of submitted email addresses. Kind of tells you the quality of engineers they have developing these things...
I think the problem is that the typical engineers that work on these devices are used to work on a whole different layer - hardware. But they know how to put together a few simple CGI scripts and probably don't even know the dangers they are facing when they run HTTP(s) server.
So on the one side you have HW guys saying "no need to find someone, we can do it ourselves" and on the other managers gladly accepting this on face value (it probably does cost them less in the short run). I am not saying these guys are not good engineers, just that this is not their area of expertize. Their mistake is not realizing this.
I've worked in embedded devices, and the problem isn't that the engineers don't know how to fix it properly, it's just that nobody cares enough to make consumer-level devices very secure. That costs money.
The web is full of articles like this. Vendors still come out with shitty, usually GPL-violating firmware. Links below from some quick googling and going through the archives of devttys0.com, but it doesnt even begin to describe the problem. Nearly every consumer router has some stupid injection or authentication bypass vulnerability.
It looks like it could be done with a DNS rebinding attack (as you need to set a special HTTP header, so normal CSRF stuff doesn't work). This would mean the victim would simply need to visit an attacker controlled webpage
Edit: Remembered an amusing case where I reported a vulnerability to a manufacturer. I reported something like "If you add an administrator's email address to the device that looks like 'myemail`reboot`@gmail.com' the box will reboot". The manufacturer got right on it and "fixed" the bug. Their fix? The new firmware had an explicit check for the string "reboot" inside of submitted email addresses. Kind of tells you the quality of engineers they have developing these things...