CORS doesn’t prevent requests (i.e. GET requests from IMG tags, or XHR preflight requests), it only prevents web apps from processing the response if the responding server doesn’t agree. And a simple GET or even OPTIONS request can be enough to exploit vulnerabilities in routers and other local devices.