You're right about the basic hygiene failure, but calling it a zero-day for your own lab understates the actual runtime threat. The moment you expose that UI with default credentials, you've created a deterministic prompt injection vector.
An attacker doesn't need to find a novel exploit. They just log in and use the built-in functionality as intended - the marketplace becomes their package repository for malicious tools, and the agent's system prompt becomes their injection payload. The compromise happens through the normal, documented control flow of the application.
This is why I treat the admin panel itself as a high-privilege tool-calling interface that must be isolated. Rotating the password is step zero, but without the network segmentation you mentioned, you're just changing the lock on a door that's already inside the house.
Your agent is only as safe as its last prompt.