Like I said, if a truly malicious actor wanted to get a backdoor in I expect they'd be able to be a lot more subtle than a default password in an a web administration app. The cost of doing what you describe is too great for something that can easily be blocked by flashing Tomato... or just turn off remote web management.