("admin/admin" or similar). If these aren't changed, an attacker can literally just log in. The Mirai botnet throughout 2016 famously afflicted thousands of IoT devices by basically trying a list of standard passwords for gadgets like routers plus cameras, since users rarely changed all of them. - Directory record enabled on a web server, exposing just about all files if not any index page is definitely present. This might reveal sensitive data files. - Leavin