Hi, OP here, actually it's not true. Think the scenario as this: you don't have the CLI root password, you just do a MitM attack and learn about root password when your ISP attempts to change it. This applies my situation, also I could learn about the default password just by looking into the firmware.