Cyber Posture

CVE-2026-25803

Critical

Published: 06 February 2026

Published
06 February 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25803 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Denpiligrim 3Dp-Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 prohibits the use of default authenticators such as the hardcoded admin/admin credentials automatically created on first initialization.

AC-2 Account Management good match
prevent

AC-2 requires management of accounts to prevent automatic creation of default administrative accounts with known credentials.

CM-6 Configuration Settings partial match
prevent

CM-6 mandates secure configuration settings that prohibit deployment with known default credentials exposed to the login interface.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Hardcoded default admin credentials (admin/admin) created on first run directly enable use of valid default accounts for unauthenticated remote access to the management interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full…

more

administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.

Deeper analysisAI

CVE-2026-25803 affects 3DP-MANAGER, an inbound generator for 3x-ui, in version 2.0.1 and prior. The vulnerability stems from the application automatically creating an administrative account with hardcoded default credentials (admin/admin) upon first initialization. This CWE-798 issue exposes the login interface to unauthorized access, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) due to its critical impact on confidentiality, integrity, and availability.

Any attacker with network access to the application's login interface can exploit this by authenticating with the default credentials, gaining full administrative control. This allows management of VPN tunnels and system settings, potentially enabling further compromise of the hosting environment or networked resources.

The issue will be addressed in version 2.0.2 of 3DP-MANAGER. Security practitioners should upgrade immediately and review GitHub advisory GHSA-5x57-h7cw-9jmw and commit f568de41de97dd1b70a963708a1ee18e52b9d248 for patch details and remediation guidance.

Details

CWE(s)
CWE-798

Affected Products

denpiligrim
3dp-manager
≤ 2.0.1

CVEs Like This One

CVE-2026-24346Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-23781Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2026-26218Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2025-33089Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2025-2343Shared CWE-798

References