[onesmallcoin]

@thu2111 He's giving you an attack chain. If you rebind the dns server of the modem with a snmp/tr069 exploit you could redirect/inject into the http traffic a page that contained the javascript payload to exploit the Cable Haunt vulnerabiliy against the Spectrum Analyser endpoint. Because websockets doesn't use CORS to restrict the requesting hosts domain to the modem, you could execute code on the gateway modem from the internet with the combination of a client on the remote network running a http request from a browser combined with an alternative dns rebinding attack against the gateway and a server hosting the malicious websockets payload on a http server.

Edit: or you could get them to click on a link