A couple of years ago I bought a retail Linksys router. By far the easiest way to configure said router was to do the setup using a Linksys "cloud" password, and then doing the configuration via this handy "cloud" facility. (In fact, doing the configuration with a laptop, a CAT5 cable and NO INTERNET proved to be very difficult....I wonder why!)
The alleged "benefit" of this scheme was that I could manage my router (by smartphone) from the beach in Brazil. But I did wonder at the time if it allowed anyone who hacked the Linksys "cloud" to manage my LAN (also from the beach in Brazil).
I passed.....did a factory reset and boxed up the router and gave it to the local charity shop.
I mention this here because I wonder if retail routers are hackable from the "cloud" services which manufacturers kindly provide? No physical access needed!