That "critical security vulnerability" is exactly the kind of thing I've been trying to do, to gain telnet access for getting DSL stats. It's quicker than having to upload a config file, so worth trying on other models, before it gets fixed of course. The "vulnerability" amounts to if you know the admin username and password, then with local network access to the device, you can get yourself proper shell access. You could consider it a way to unlock the device, rather than a vulnerability.
The open SNMP port in the iptables firewall configuration applies to a lot of models, the TD-W8970v1 and TD-W9980 being the models I've looked at.