I see no problem with this.
The first bot will have clearly changed the password so the owner probably doesn't have access anyway without resetting the device manually.
The nematode will disable the first bot and change the password which the owner didn't have anyway. I would actually recommend completely disabling the device (shutdown networking as last command) as well until the owner resets it and potentially applies a patch that way at least they are aware they have a problem.
What's the alternative? Detect all vulnerable devices and send it to the IP address owners which would surely be a thankless task.
Either way at some point someone is going to have to do something.
Biting the hand that feeds IT
