I just opened a support ticket (EEW-834557) with Thecus to inform them about another critical vulnerability. The new 3.x firmware allows potential attackers to become any user (even "admin") bypassing the authentication. Exploits are available.
All users of devices running a 3.x firmware should make sure the WebUI is not accessible from insecure networks (such as the Internet) until this vulnerability is fixed.
Update 2009/11/26 - Received a reply from Thecus, they "hope it can be fixed soon"
/Falk
P.S.: I will not publish any details on the exploits ... but I will probably not be the only one who knows about this already