Impact
The NI grpc-device server contains an insecure default credentials flaw when TLS is not configured and the service is bound outside the loopback interface. An attacker on the same local network can use the unprotected default login to connect to the gRPC endpoint, gaining read or write access to server configuration, metrics, or other privileged operations. The flaw therefore permits an attacker to compromise confidentiality, integrity, and availability of the device, potentially escalating to full remote control if the application supports remote administration. The CVSS score of 9.3 reflects the high severity of this authentication bypass.
Affected Systems
The vulnerability affects NI grpc-device and NI InstrumentStudio products. Specifically, NI grpc-device version 2.17.0 and all earlier releases are vulnerable. The exact version range for InstrumentStudio is not listed, but versions that ship the same grpc-device component are assumed to be impacted.
Risk and Exploitability
With a CVSS score of 9.3 the vulnerability is critical. EPSS data is not available, so the current exploit probability is unknown, but the absence of a KEV listing suggests no confirmed widespread exploitation yet. The attack requires network access to the target’s local network and the service must be bound to an IP address other than 127.0.0.1. In practice this means that a privileged local user or a compromised machine on the same network segment can simply discover the default credentials and establish a gRPC connection.
OpenCVE Enrichment