Looks like there is a significant flaw in the DD-WRT firmware. They are working on a patch, and have instructions on how to set up your firewall rules to mitigate the risk for the time being.

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.