Got this from AVG:
While there are no known cases of this particular exploit actually in use, proof of concept code has shown it to be possible and effective. Fortunately, simply changing the default administrative password of the router easily mitigates the risk! All broadband routers are shipped with an administrative account and a default password, usually something like "password" or "admin" and most users never change these to a stronger password. This is a relatively easy task, the user would just need to log into the router's IP address (usually something like 192.168.0.1 or 192.168.1.1) and log in with the default password - see the documentation or go to one of the online databases such as http://www.routerpasswords.com to determine the password. Then set a new password and you have mitigated the risk!