If I understand correctly those credentials are only usable if you get access to the router, by cracking a WEP key for example.
And please correct me if I'm wrong. But if this is correct, I don't really see this as a vulnerability for most people, since most people don't even change the default logins on their routers.
For some other people it might be problem yup, but the attacker would have to enter the network first.
A lot of these routers might have their web console visible on the WAN side.
Other clever attacks are simple: most of the routers use default subnets of 192.168.0.0/24 with a gw at 192.168.0.1.
A malicious site can make a post to 192.168.0.1 with user name/pw super super and say reconfigure your local dns settings so that they can man in the middle something like traffic that would normally go to an ad network. They can then serve up their own ads and make profit$.
recently, attacks against home routers were mounted via malicious iframes pushed to a PC in the LAN. That vector neither requires physical presence nor wifi password cracking, merely CSRF.
Most of the router do have WAN management service default on and can be accessed easily form the internet. If is not in internet then rebind attack is there for the backup https://code.google.com/p/rebind/
And please correct me if I'm wrong. But if this is correct, I don't really see this as a vulnerability for most people, since most people don't even change the default logins on their routers.
For some other people it might be problem yup, but the attacker would have to enter the network first.