I use the google wifi device OnHub AC1900. When I run Avast Pro, it claims that my router has a weak default password of admin/admin.
However, one cannot even access settings via a web browser on that router. It requires a phone app and a user defined username/pass to configure it. From a browser the homepage of the router simply gives links to download the phone app.
My guess is that Avast Pro is simply calling it with a POST and passing admin/admin. Since it returns a page (the one with download links) Avast assumes that it logged in.
I want to make sure I am not wrong though and there isn't something I am missing with this router. Like whether or not Avast is using a different protocol or hitting a specific page directly. The google wifi routers leave much in a black box, so I want to be sure there is no glaring security hole I missed.