Isn't CORS supposed to prevent this?

CORS doesn’t prevent requests (i.e. GET requests from IMG tags, or XHR preflight requests), it only prevents web apps from processing the response if the responding server doesn’t agree. And a simple GET or even OPTIONS request can be enough to exploit vulnerabilities in routers and other local devices.