Specifically blocking it works but the assumption amongst most users would be that those ports are closed by default.

I can confirm that I'm seeing this behaviour on 1.4.2.15 firmware RV325s as well. 8007 and 8008 exposed.  I can log in via 8007 using the cisco user credientials. This seems like one that needs urgent patching.