Depending on where the attacker and where the potential victim are located and depending the protocol used and on how the network is structured all of that may or may not be a problem for the attacker. Maybe he already owned the last router before the victim via a totally unrelated issue and it's just a single hop.
I concur that this bug is unlikely to be exploited in the wild but I'm generally opposed to the statement "yes, that may be a critical problem, but who would do that?!" People that want to attack you do that.
Today I read an article where the response to a critical flaw in a process was "but that's not a real world scenario, those actions would need to be done deliberately and that would require criminal energy." Phew, we're safe then. Only positive energy around, move along, nothing to see here.
I wasn't so much saying "phew, you can relax" as I was saying "this is why you haven't seen a new Internet worm based on this concept."
It can still, of course, be done in one-off scenarios (attacking a peer on a guest wi-fi network is one easy possibility) but it's not Heartbleed-level scary, because you can't just "scan the Internet" for the vulnerability, and attack every vulnerable thing you find to useful result.
Today I read an article where the response to a critical flaw in a process was "but that's not a real world scenario, those actions would need to be done deliberately and that would require criminal energy." Phew, we're safe then. Only positive energy around, move along, nothing to see here.