ADVERTISEMENT

Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

Wavlink router research
Bernard Meyer
Bernard Meyer Senior Researcher
Nov 23, 2020 Updated: 8 May 2026 15 min read
  • Make sure your data is secure with the help of the top VPN services on the market
  • Want to build your personal or business site? Website builders can make it happen in no time and provide you with the necessary security certificates
  • Choose among the best web hosting services on the market - ensure your website hosting is reliable and safe
"We have reason to believe that both Jetstream and Wavlink are subsidiaries of a Shenzhen-based company known as Winstars Technology Ltd."
Mantas Sasnauskas

Hidden backdoors on potentially millions of devices

A backdoor with a user interface

The GUI for the hidden backdoor
Do you have any further information about Jetstream, Wavlink or Winstars Technology Ltd., or the malicious Chinese IP address attempting to exploit these vulnerabilities? We'd love to hear from you. Please get in touch -- send us a tip by clicking here or email us at [email protected]

“This is not a mistake”

“Why would a company, which potentially knows the credentials of any of its routers, give itself the hidden ability to access anyone’s router and run commands?”
James Clee

Scanning for other wifi networks

The script that lists all neighboring wifi networks
The results of the getwifi script on our own test router

Mirai malware attacking our router

Malicious request from a Chinese IP address immediately after turning on honeypot on our router

The precarious position of Chinese tech companies

ADVERTISEMENT
On LinkedIn, Wavlink employees show their workplace as Winstars
Winstars address same as Wavlink's
Wavlink's address same as Winstars
Image of Winstars Thunderbolt 3 docking station
Image of Wavlink's Thunderbolt 3 docking station

Is “Jetstream” Winstar’s American brand?

Comparison of Jetstream and Wavlink mesh routers
Comparison of Jetstream and Winstars gaming routers
Comparison of login pages for Jetstream and Wavlink routers
Brand "Jetstream" included in the source code on Wavlink's router login page
Files within routers link Jetstream in multiple URLs

What is Winstars?

Winstars' total annual sales
Winstars' total monthly exports
  • webcmd.shtml is the backdoor that appeared to be placed there intentionally, but which we hoped to clarify with Wavlink
  • webcmd can be hacked using CSRF (Cross Side Request Forgery), and therefore opening a link makes your router hackable
  1. While it is common practice "for router companies to receive customer reports to make analysis and give feedback to customers," it is irresponsible to leave these kinds of vulnerabilities so bad actors can exploit them.
  2. While local management pages are fine, again -- given the confirmed vulnerabilities, it opens the router up to exploitation from bad actors.
  3. While wifi repeaters would have the wifi signal scanning function, this does not address why routers would have the same capability and, again -- given the confirmed vulnerabilities, this provides for pivoting and later movement capabilities that a bad actor can exploit.
  4. We wonder how many routers were sold since the Telnet function was removed. Further, while it is common for telecom operators to have this function -- Wavlink is not a telecom operator.
  5. We never claimed that the Chinese IP address attempting to exploit the backdoors and vulnerabilities was related to Wavlink. That was simply to confirm that the vulnerabilities were being actively exploited, which we observed on our test device. Given the confirmed vulnerabilities, and that there are hundreds or thousands of these routers exposed to the internet, the risk of exploitation is high. Further, given the webcmd and the vulnerabilities, the backdoor can be exploited by bad actors remotely.
  6. We never said that Jetstream is part of Wavlink. We said that Jetstream and Wavlink are both part, in one form or another, of Winstars, which Wavlink's response does not address.

What you should do next

Cybernews pro tip

Increase your online security and privacy by encrypting your internet connection and hiding your IP address.

Protect your data now
"I’m looking forward to never plugging [these Wavlink devices] in again.”
James Clee
ADVERTISEMENT