The vulnerability that Drake outlines rises from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr, Drake explains, runs with root privileges and contains an unauthenticated command execution vulnerability. In turn this permits anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router.

via Root command execution bug found across wireless router range.

This seems more like a designed in feature not implemented correctly.  Transferring config information on an unsecure network is difficult to implement without some kind of flaw.

This kind of hack is well above the capability of your average hacker.  Very unlikely they could do much more than Man In the Middle which they could do anyway without hacking the router.  I do not chase updates on SOHO routers because it’s pointless, a waste of time that possibly introduces different bugs.