External risk intelligence

NI grpc-device Insecure Default Credentials Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-9142

The vulnerability affects a gRPC-based device server component. While network-reachable if misconfigured to bind beyond loopback, these services are typically used for local instrumentation and control within internal engineering or laboratory networks, making direct public internet exposure uncommon.

Missing Authentication

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in NI grpc-device where insecure default credentials could allow unauthorized local network access if specific security configurations are absent. The primary concern is to confirm whether this technology is in use and if it is exposed in a way that could be exploited.

Unsecured default credentials could allow access.
Important for confirming if this technology is in use.
Assess exposure and confirm relevance to our environment.

Attack Path

How an attacker could exploit the issue

An unauthenticated user on the local network can access the NI grpc-device server if it's not configured with TLS and is accessible beyond the loopback interface. This exposure could allow an attacker to interact with the server, potentially leading to unauthorized actions.

Vulnerable server bound beyond loopback.
Insecure default credentials allow access.
Unauthenticated local network access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker on the local network to access the NI grpc-device server when TLS is not configured and the server is bound beyond loopback. This may expose sensitive system data or allow unauthorized control of device services.

System data and device services at risk.
Network access when TLS is absent.
Unauthorized access and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in NI grpc-device, particularly when TLS is not configured and the server is exposed beyond loopback, likely impacts teams responsible for the infrastructure hosting these devices and the applications that communicate with them. The first step should be to identify all instances of NI grpc-device, determine their network exposure and criticality, and then assign ownership for remediation.

Identify affected systems and owners.
Verify network reachability and business impact.
Plan and coordinate remediation efforts.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is NI grpc-device?

NI grpc-device is a software component that enables remote communication with National Instruments hardware, such as measurement and automation instruments. It uses the gRPC framework to allow applications to control laboratory or industrial equipment. It is typically deployed by engineers and researchers to facilitate interaction between software clients and physical measurement devices over a network.

What does CWE-306 mean for CVE-2026-9142?

CWE-306 refers to a Missing Authentication for Critical Function vulnerability. In the context of CVE-2026-9142, it means the software fails to verify the identity of users attempting to connect to the server. Because the system relies on insecure default credentials rather than proper authentication, anyone who can reach the service on the network may be granted access to perform functions reserved for authorized users.

How can an attacker trigger this vulnerability?

An attacker needs two conditions to be met: the server must be configured to accept connections beyond the local loopback interface, and Transport Layer Security (TLS) must be absent. If the server is strictly bound to the local loopback, meaning it only accepts connections from the machine where it is installed, this specific network-based access vulnerability does not apply.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that while this is a critical issue, high-risk exposure is unlikely for most users. Because NI grpc-device is usually used for instrumentation and control, these services are typically kept within internal engineering or laboratory networks rather than being exposed to the public internet. You should focus on verifying if your instances are restricted to local networks.

What should I do if I use NI grpc-device?

Your first step is to inventory all systems running NI grpc-device to identify which ones are in use and who owns them. Once identified, verify their current network configuration—specifically, whether they are bound to interfaces outside of the loopback and if TLS is currently enabled. Coordinate with your engineering teams to prioritize hardening these configurations or updating to a version that addresses the vulnerability.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.