So if we’re not talking about ISPs sending this out, then the reason that remote access gets turned on by default is incase the company sysadmin couldn’t physically get to the device, and they assumed the company had a firewall.
Companies almost always prioritise OOTB setup and operationality over security when it comes to defaults.
They likely weren’t enabled by default at all. Because that’s generally not how company IT departments even remote manage these things. And the affected devices are the firewalls.
Remote administration was turned on manually, by the owners of these devices, because they didn’t know what they were doing.
So if we’re not talking about ISPs sending this out, then the reason that remote access gets turned on by default is incase the company sysadmin couldn’t physically get to the device, and they assumed the company had a firewall.
Companies almost always prioritise OOTB setup and operationality over security when it comes to defaults.
They likely weren’t enabled by default at all. Because that’s generally not how company IT departments even remote manage these things. And the affected devices are the firewalls.
Remote administration was turned on manually, by the owners of these devices, because they didn’t know what they were doing.