CVE-2026-25803
Unknown Unknown - Not Provided
Default Credential Vulnerability in 3DP-MANAGER Allows Admin Access

Publication date: 2026-02-06

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-02-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
denpiligrim 3dp-manager to 2.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in 3DP-MANAGER, an inbound generator for 3x-ui, in version 2.0.1 and earlier. The application automatically creates an administrative account with default credentials (admin/admin) upon first initialization. Because these credentials are well-known, attackers with network access to the login interface can easily gain full administrative control over the system.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can gain full administrative control of the affected application. This allows them to manage VPN tunnels and system settings, potentially leading to unauthorized access, data breaches, disruption of services, and complete compromise of the system's security.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the 3DP-MANAGER 3x-ui application is running version 2.0.1 or earlier and if the default administrative account with credentials admin/admin exists.

You can attempt to log in to the application's login interface using the default credentials (admin/admin) to verify if the vulnerable account is present.

Network scanning tools can be used to identify the presence of the 3DP-MANAGER 3x-ui service on your network.

  • Use a web browser or curl command to attempt login: curl -X POST -d 'username=admin&password=admin' http://<target-ip>/login
  • Use nmap to detect the service: nmap -p <port> --script=http-title <target-ip> (replace <port> with the port used by 3DP-MANAGER)

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the 3DP-MANAGER 3x-ui application to version 2.0.2 or later, where this issue is patched.

If upgrading immediately is not possible, change the default administrative credentials from admin/admin to a strong, unique password to prevent unauthorized access.

Restrict network access to the application's login interface to trusted hosts only, using firewall rules or network segmentation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart