From gbhackers.com
Researchers discovered a critical zero-day flaw in TP-Link Wi-Fi extender that allows a remote attacker to get complete control over the device and to execute commands in user privileges.
This vulnerability can be tracked as CVE-2019-7406, and it affects the following models: RE650, RE350, RE365, and RE500.
Like other routers, the extender also operates on the MIPS architecture; an attacker could exploit the vulnerability by sending malformed HTTP request without requiring login/authentication to the Wi-Fi extender.
The only concern here is the network setup for an attacker to establish a connection with the extender. If someone is already connected to the target network, they can easily access the device.