I've worked at a large telco testing CPE devices (routers and whatnot) and it was common place to find backdoors like this. The devices were made by a third party vendor and most of them had hardcoded passwords and hidden debug features.