Device vendor placed deliberate backdoor in device, and doesn't provide updates anymore. Assuming no hacky stuff, if you want a not backdoored device you throw the one you bought in trash and buy a new one.
Can you sue in EU in 2024?
https://isc.sans.edu/diary/rss/31442