Description
There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback.  This may allow an unauthenticated user access to the server on the local network.  This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NI grpc-device server contains an insecure default credentials flaw when TLS is not configured and the service is bound outside the loopback interface. An attacker on the same local network can use the unprotected default login to connect to the gRPC endpoint, gaining read or write access to server configuration, metrics, or other privileged operations. The flaw therefore permits an attacker to compromise confidentiality, integrity, and availability of the device, potentially escalating to full remote control if the application supports remote administration. The CVSS score of 9.3 reflects the high severity of this authentication bypass.

Affected Systems

The vulnerability affects NI grpc-device and NI InstrumentStudio products. Specifically, NI grpc-device version 2.17.0 and all earlier releases are vulnerable. The exact version range for InstrumentStudio is not listed, but versions that ship the same grpc-device component are assumed to be impacted.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is critical. EPSS data is not available, so the current exploit probability is unknown, but the absence of a KEV listing suggests no confirmed widespread exploitation yet. The attack requires network access to the target’s local network and the service must be bound to an IP address other than 127.0.0.1. In practice this means that a privileged local user or a compromised machine on the same network segment can simply discover the default credentials and establish a gRPC connection.

Generated by OpenCVE AI on June 19, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NI grpc-device to version 2.18.0 or later, or the latest release that eliminates the default credentials issue.
  • Ensure TLS is enabled for the grpc-device service and configure the server to bind only to the loopback interface or otherwise restrict the IP addresses that accept connections.
  • Replace the default credentials with unique, strong passwords or keys and verify that all devices in the environment use the new credentials.

Generated by OpenCVE AI on June 19, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback.  This may allow an unauthenticated user access to the server on the local network.  This affects NI grpc-device 2.17.0 and prior versions.
Title Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-306
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-22T19:29:31.269Z

Reserved: 2026-05-20T19:51:58.847Z

Link: CVE-2026-9142

cve-icon Vulnrichment

Updated: 2026-06-22T19:29:27.737Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:36:11Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function