Unrestricted access to router admin UI

Straq  FURRYe38  An update on this issue:

I started from scratch today.  Completely reset router and satellites.  Went through the entire setup of my Orbi using the iOS app.

The issue of being able to get into router admin pages from any device on network is no longer occurring.  Phew!

I did find a different potential security issue however.  I would be curious if someone else could try to replicate it ...

It appears that the router will allow any browsers from a single device to access the admin portal if a user has logged in via that IP, and has not logged out.

How to reproduce:

1.  Clear cookies on all browsers.

2.  Using the browser of your choice (I used Chrome), login to your router's admin pages.

3.  Do not click "Logout" in upper right.  Just close/exit the browser.

4. Using any other browser (Safari in my case) from the same computer, open your router admin page.

5. You should be in without being prompted for a password.

I've tested this with multiple browsers, as well as within a VM on my Mac that shares the Mac's IP.  Once a user has logged in from an IP, and has not logged out, anyone can administer the router.  

This isn't an issue for me in particular, as no one else uses my laptop, and I can just be sure to logout.  However, imagine a scenario where a household used a shared computer.  If the admin portal had been logged into from that computer, and the session was not logged out, any other user of that computer would be able to access it, so long as the IP doesn't change.