it’s a commonality. we discover the same over and over on the 8311 discord at pon.wiki. often the result of disclosure is a firmware update that removes the ability to create a configuration backup and restore.

Grabbed the config.bin off my ISP-provided ZTE F670L, decrypted it in about 5 minutes. The "encryption" key is just the serial number base concatenated with the byte-reversed MAC address... both printed on the sticker.

Inside: GPON credentials, TR-069 ACS config, VoIP SIP keys, and a hidden super admin account with full privileges. The password was in HaveIBeenPwned.

Used zte-config-utility. Steps are in the gist.