3DP-Manager Hard-Coded Credentials Vulnerability in Administrative Account Creation

A vulnerability exists in 3DP-Manager versions through 2.0.1, where the application automatically generates an administrative account with default credentials (admin/admin) during initial setup. This issue allows attackers with network access to the login interface to gain full administrative rights, including management of VPN tunnels and system settings.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, enabling full control over the application's settings and VPN management.

Reproduction

The vulnerability can be reproduced by deploying 3DP-Manager version 2.0.1 or earlier. Upon the first initialization, the application will create an admin account with the username 'admin' and password 'admin'. This default account can then be used to log in and gain administrative privileges.

Remediation

Users are advised to update to 3DP-Manager version 2.0.2 or later. After updating, if the admin account was created in an earlier version, the password should be changed via the settings UI.