The web panel of D-Link DSL 3782 version (A1_WI_20170303) does not release a token ID (e.g. a session cookie) that identifies the logged in administrator, but only relies on a server-side timeout that lasts few minutes. In addition, a server-side mitigation in place prompts for login credentials everytime the webroot is loaded, but does leave the application endpoints unprotected and affected by this authentication bypass. Therefore, after a valid login of the administrator the web panel does not distinguish valid HTTP requests from the admin and the ones that come from other users. This way, an attacker can script an automatic routine that perform unwanted actions such as arbitrary modifications to router and SSIDs passwords and configurations.