The administrator password is disclosed via hedwig.cgi. This allows full admin control of the hardware.
The D-Link DAP-1650 WiFi extender is an End-of-Life (“EOL”) product. There will be no futher updates.
Reference: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10266