An unpatched router can be hijacked, if the attacker is on the same network.
Several models of Asus' routers are vulnerable to an attack that leaves little for non-technical users to protect themselves until a fix is issued.
Security researcher Joshua Drake published an advisory warning that "all known firmware versions for applicable routers (RT-AC66U, RT-N66U, etc.) are assumed vulnerable."
The bug allows an attacker on the same network to take full administrative control of the router without the need for a password. The only known fix is to disable the troublesome infosvr service by killing the process when the affected device boots. That has to be performed each time the device restarts.
Read more: Most Asus routers affected by hijack bug; exploit posted | ZDNet