Description
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
Published: 2026-02-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Administrative Credential Exposure / Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability causes the 3DP-MANAGER application to create an administrative account with the default credentials admin/admin during first initialization. An attacker who can reach the login interface can authenticate as an administrator, gaining full control over VPN tunnels, system settings, and other privileged functions. The weakness is a hard‑coded credential flaw with high potential impact on confidentiality, integrity and availability.

Affected Systems

The affected product is denpiligrim 3dp-manager, specifically all releases up to and including version 2.0.1. The security advisory states that the issue will be patched in version 2.0.2. No other affected versions are listed.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity. The EPSS score is reported as < 1 %, suggesting a low probability of exploitation, but the vulnerability remains critical because it allows full administrative control. The issue is not listed in the CISA KEV catalog, but the potential impact justifies immediate attention. The likely attack vector is through the network‑accessible login interface, where attackers can supply the known default credentials.

Generated by OpenCVE AI on April 18, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 3dp-manager to version 2.0.2 or later, which removes the default credentials.
  • Restrict the application’s login interface to trusted IP ranges using firewall rules or network segmentation.
  • Enforce a strong password policy and immediately replace any remaining default credentials in deployed deployments.

Generated by OpenCVE AI on April 18, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Denpiligrim
Denpiligrim 3dp-manager
Vendors & Products Denpiligrim
Denpiligrim 3dp-manager

Fri, 06 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
Title 3DP-MANAGER Uses Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Denpiligrim 3dp-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:25:57.618Z

Reserved: 2026-02-05T19:58:01.641Z

Link: CVE-2026-25803

cve-icon Vulnrichment

Updated: 2026-02-09T15:22:49.200Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T23:15:54.973

Modified: 2026-03-17T20:43:52.930

Link: CVE-2026-25803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses