Trivial attacks can be launched directly against the router with no human interaction or access to credentials. Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials. Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used -- an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.
Cross-site request forgery was the first component of all of our attacks. After that, our standard attack was to reset the administrative password to a known value, or add a new administrator, and then enable remote management. Only when this was not possible (e.g., some routers require the old password as part of the request to change it) did we try other attacks. Those included: shell command injection, directory traversal to share the root of the filesystem over an Internet-accessible ftp server, exploiting a race condition to upload shell scripts over ftp and then have them execute, enabling additional vulnerable services, and some more. There are more vulnerabilities in the routers, and we're disclosing those, too, but they're not necessarily part of this report we're publishing.