CVE-2026-25803
Unknown Unknown - Not Provided
Default Credential Vulnerability in 3DP-MANAGER Allows Admin Access

Publication date: 2026-02-06

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
denpiligrim 3dp-manager to 2.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in 3DP-MANAGER, an inbound generator for 3x-ui, in version 2.0.1 and earlier. The application automatically creates an administrative account with default credentials (admin/admin) upon first initialization. Because these credentials are well-known, attackers with network access to the login interface can easily gain full administrative control over the system.

Impact Analysis

An attacker exploiting this vulnerability can gain full administrative control of the affected application. This allows them to manage VPN tunnels and system settings, potentially leading to unauthorized access, data breaches, disruption of services, and complete compromise of the system's security.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the 3DP-MANAGER 3x-ui application is running version 2.0.1 or earlier and if the default administrative account with credentials admin/admin exists.

You can attempt to log in to the application's login interface using the default credentials (admin/admin) to verify if the vulnerable account is present.

Network scanning tools can be used to identify the presence of the 3DP-MANAGER 3x-ui service on your network.

  • Use a web browser or curl command to attempt login: curl -X POST -d 'username=admin&password=admin' http://<target-ip>/login
  • Use nmap to detect the service: nmap -p <port> --script=http-title <target-ip> (replace <port> with the port used by 3DP-MANAGER)
Mitigation Strategies

The immediate mitigation step is to upgrade the 3DP-MANAGER 3x-ui application to version 2.0.2 or later, where this issue is patched.

If upgrading immediately is not possible, change the default administrative credentials from admin/admin to a strong, unique password to prevent unauthorized access.

Restrict network access to the application's login interface to trusted hosts only, using firewall rules or network segmentation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart