Command injection vulnerabilities and accessible default admin credentials in home routers distributed by Thailand’s largest broadband provider remain unpatched despite private disclosures to the vendors last July.