As dumb as this exploit is on the part of netgear, remember that to exploit it the attacker had to have already broken the WPA2 security to access the wifi or physically plugged in with ethernet. The first vector can be avoided by simply turning off management via wifi.
Or accessed your router internally via JavaScript, img tag, or iframe hidden on a malicious or compromised page. XSRF is real.
Edit: granted, browsers limit what JavaScript can do across sites, but request-only access is enough to change DNS settings to something malicious, and if the attacker can inject unescaped content into the page in some way, then they can run JavaScript on the router page and send data back that way.
Edit2: I'm not certain, but I think the timing of image load events could be used to determine success/failure of router actions loaded through a hidden img tag.
Or accessed your router internally via JavaScript, img tag, or iframe hidden on a malicious or compromised page. XSRF is real.
Edit: granted, browsers limit what JavaScript can do across sites, but request-only access is enough to change DNS settings to something malicious, and if the attacker can inject unescaped content into the page in some way, then they can run JavaScript on the router page and send data back that way.
Edit2: I'm not certain, but I think the timing of image load events could be used to determine success/failure of router actions loaded through a hidden img tag.