Also not specified is whether the "hardcoded credentials" are even valid during a normal operating mode.
In many cases, avionics like this has a dedicated physically isolated service port and/or a dedicated "service mode" that can only be entered by powering on the device when a discrete is tied to ground by a special test equipment connector.
Almost surely, these vulnerabilities are either:
1) Firewalled from the passenger network (This is, however, unlikely, airgrapping/network isolation is far more likely, with the interconnection between critical and noncritical networks being, at most, a one-way feed of nav data to the noncritical network)
2) Can only affect the passenger network and are not used for flight operations
3) Require physical access to a test connector on the unit itself