NOTE: This is a developing story. See updates at the end.
At least two Netgear routers, the R6400 and R7000 are vulnerable to a command injection flaw that is easy to exploit and could lead to the total takeover of the routers. This was disclosed yesterday, December 9th, and there has, as yet, been no response from Netgear.
Documentation on the flaw, so far, has been poor. Most importantly, it's not clear, to me at least, whether the vulnerability can be exploited remotely, from the LAN side of the router or both. If it is locally exploitable, then using a non-standard IP address for the router should offer some defense.