Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable gRPC service with no auth when misconfigured gives AV:N/AC:L/PR:N/UI:N; instrument read/write yields C:H/I:H, but no availability impact is described so A:N.
Primary rating from Vendor (NI).
CVSS VectorVendor: NI
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback. This may allow an unauthenticated user access to the server on the local network. This affects NI grpc-device 2.17.0 and prior versions.
AnalysisAI
Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The grpc-device server must be started without TLS configuration AND bound to an interface beyond loopback (e.g., 0.0.0.0 or a specific LAN IP), which is a non-default but operationally common posture when remote test controllers need to reach instruments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) realistically captures the worst case: an attacker with LAN reachability and no credentials can read and manipulate instrument state, but availability impact is rated N, consistent with a control-plane abuse rather than a crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same factory-floor or lab network scans for the grpc-device port on hosts that have been bound to 0.0.0.0 without TLS, opens an unauthenticated gRPC channel, and issues driver calls to read live measurements or reconfigure instruments - for example altering DAQ output voltages or VISA session settings. No public exploit identified at time of analysis, but the CVSS 4.0 AV:N/AC:L/PR:N profile means a generic gRPC client plus the public .proto definitions from the ni/grpc-device repository is sufficient to interact with the service. |
| Remediation | Patch available per vendor advisory - consult the NI security bulletin at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/multiple-vulnerabilities-in-ni-grpc-device-server.html and the GitHub Security Advisory GHSA-fhhw-37q8-6562 for the fixed grpc-device build; an exact fixed version was not provided in the input data, so verify the target release on the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all NI grpc-device instances at version 2.17.0 or earlier; verify TLS configuration status and network binding; isolate any non-TLS deployments via network segmentation or firewall rules immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Grpc Device
View allRemote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Monike
Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker s
Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the stre
Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize t
Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to co
Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network at
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38030