
This is why you configure modems for RFC1483 bridging
And use your own router, preferably running DD-WRT/OpenWRT. Then port scan yourself from the outside as a sanity check, because you shouldn't trust the modem vendor to know the definition of a "bridge" means it must be transparent to all traffic.
If I configure my Actiontec Q1000 VDSL2 modem as a router, it has an open port that can't be disabled - for TR-069 support. I can change the password on it, but I can't know there isn't a default password hidden in the firmware. Luckily, when configured as a bridge, it follows the RFC. Thus I can sleep in peace knowing the only exploit that could get me from the outside is a 0 day in Linux OpenSSH.