Anyone with web_server enabled and HTTP basic auth configured on 2021.9.1 or older
web_server allows OTA update without checking user defined basic auth username & password
web_server
Patch released in 2021.9.2
Disable/remove web_server