I have a router that from my ISP I am forced to use that has had a few CVEs ranging from not good to really bad. Most of which are years old. I can get a replacement but it's just the same model. They don't care about security at all and don't care about patching it, even though they have exclusive access rights to the router and can remotely log in to it. It's completely ridiculous.
The one I use looks scary too. And it came by default with a dumb password too. I wouldn't be surprised if it had a few CVEs hanging too.
> I have a router that from my ISP I am forced to use...
A friend of mine did impersonate the ISP's router's MAC address and used wireshark to sniff the traffic when the modem started. He then configured the ONT (which is physically inside a SFP plug, it's tiny) to establish the handshake/send the credentials.
It's a sad state of affairs, but anyone serious about security ought to consider the common ISP WiFi router to be a potentially hostile device and class it as part of the public side of the Internet. The usual advice is to put a firewall/router of your own running your preferred software, between the ISP device and your network.
Routers supplied by AT&T here in the US for their fiber gigabit service do RADIUS authentication with the carrier gateway using certs built into the device. There used to be an older version of this router that had known vulnerabilities which made extracting those certs possible but they've since been patched and those certs have been invalidated.
Note that you can still downgrade an existing gateway, extract certs[0], then bypass the device [1]. I had to do this with OPNsense to avoid the latency buildup issue, which has been ongoing for months[2].
I believe you can set those to pass through mode and put a router/firewLl behind it without any kind of double NAT. Other than some kind of MITM, you have at least minimized the likelihood of someone using it as an entry point to your network.
