What is the most critical vulnerability in this disclosure?

CVE-2024-51978 (CVSS score 9.8) is the most critical vulnerability - an authentication bypass that allows unauthenticated remote attackers to generate default administrator passwords by exploiting Brother's predictable password generation algorithm. This vulnerability affects 695 models and cannot be fully patched through firmware updates.

What other significant vulnerabilities were discovered?

Other significant vulnerabilities include CVE-2024-51979 (CVSS 7.2) - a stack-based buffer overflow enabling remote code execution when chained with the authentication bypass, CVE-2024-51982 and CVE-2024-51983 (CVSS 7.5) - denial of service vulnerabilities that can crash devices, and multiple SSRF vulnerabilities that can turn printers into network proxies.

Why can't CVE-2024-51978 be fully patched?

CVE-2024-51978 cannot be fully remediated through firmware updates due to its fundamental integration with the manufacturing process. The predictable password generation algorithm is embedded in the device's core functionality, making it impossible to eliminate through software updates alone.

What is the workaround for the authentication bypass vulnerability?

The recommended workaround involves manually changing the default administrator password on all affected devices. While the mitigation may seem simple, it requires proper inventory management and ongoing discipline, as factory resets will restore the vulnerable default password.

How was this vulnerability disclosure coordinated?

The disclosure was coordinated through Japan's JPCERT/CC over a thirteen-month period, following responsible disclosure practices to allow manufacturers time to develop and release patches before public disclosure.

What can attackers accomplish by chaining these vulnerabilities?

By chaining vulnerabilities, attackers can achieve complete device compromise: obtain serial numbers, generate admin passwords, gain administrative access, execute arbitrary code through buffer overflow, use devices as network proxies, retrieve credentials for lateral movement, and disrupt operations through denial of service attacks.

What should organizations do to protect themselves?

Organizations should review device inventory and prioritize internet-facing printers and devices in sensitive network segments for patching and password resets, apply available firmware updates for seven of the eight vulnerabilities, manually change default administrator passwords on all affected devices, ensure printers are not internet-facing when possible, and implement proper network segmentation for printer infrastructure.

Why is this printer vulnerability disclosure particularly significant?

This disclosure is significant because it affects 748 models across five major manufacturers, includes a critical authentication bypass that cannot be fully patched, demonstrates how printers can be weaponized for network attacks through SSRF capabilities, and highlights the security risks of IoT devices with predictable default credentials. The combination of widespread deployment, unpatchable vulnerabilities, and potential for complete device compromise makes this a major security concern for organizations worldwide.

Advisory

Vulnerabilities reported in Brother printers and other vendors, at least one critical

Q: How many devices are affected by manufacturer?

Of the 748 total affected models, 689 are Brother devices, 46 are models from FUJIFILM Business Innovation, 5 models from Ricoh, 2 models from Toshiba Tec Corporation, and 6 models from Konica Minolta are impacted by some or all of these vulnerabilities.

Q: How does the authentication bypass attack work?

The attack begins with obtaining device serial numbers through CVE-2024-51977 via HTTP, HTTPS, or IPP services, or alternatively through direct PJL or SNMP queries. Once the serial number is obtained, attackers can apply the discovered algorithm to generate the device's default administrator password, gaining full administrative access if the password hasn't been manually changed.

published: June 25, 2025

Take action: If you have Brother printers (or multifunction devices from FUJIFILM, Ricoh, Toshiba Tec, or Konica Minolta), immediately change all default administrator passwords since they probably have a flaw that allows attackers to generate these passwords and can't be fully patched. Alsom, make sure the printer are not accessible from the internet. Then apply the latest firmware updates to fix the other flaws.

Learn More

Brother Industries and four other major printer manufacturers are vulnerable to a collection of eight security vulnerabilities that affect 748 models of multifunction printers, scanners, and label makers across their combined product portfolios.

Of the 748 total affected models, 689 are Brother devices, 46 are models from FUJIFILM Business Innovation, 5 models from Ricoh, 2 models from Toshiba Tec Corporation, and 6 models from Konica Minolta are also impacted by some or all of these vulnerabilities.

The vulnerabilities were discovered through a zero-day research project conducted by Rapid7. The disclosure was coordinated through Japan's JPCERT/CC over a thirteen-month period.

Vulnerabilities summary

CVE-2024-51978 (CVSS score 9.8): A critical authentication bypass vulnerability that allows unauthenticated remote attackers to generate default administrator passwords by exploiting Brother's predictable password generation algorithm. The vulnerability affects devices configured with default passwords and cannot be fully patched through firmware updates. The vulnerability impacts 695 models.
CVE-2024-51982 (CVSS score 7.5): A denial of service vulnerability affecting the PJL service on port 9100 that allows unauthenticated attackers to crash affected devices, resulting in complete loss of availability. The vulnerability impacts 208 models.
CVE-2024-51983 (CVSS score 7.5): A denial of service vulnerability in Web Services over HTTP that enables unauthenticated attackers to crash devices and disrupt printing operations.
CVE-2024-51979 (CVSS score 7.2): A stack-based buffer overflow vulnerability affecting authenticated users through HTTP, HTTPS, and IPP services. This vulnerability enables attackers to control CPU registers including the Program Counter, providing sufficient primitives for achieving remote code execution when chained with the authentication bypass vulnerability.
CVE-2024-51977 (CVSS score 5.3): An information disclosure vulnerability affecting HTTP, HTTPS, and IPP services that allows unauthenticated attackers to leak sensitive device information including serial numbers and other critical system data. This vulnerability serves as an enabler for the authentication bypass attack by providing the serial number required for password generation.
CVE-2024-51984 (CVSS score 6.8): A credential disclosure vulnerability affecting LDAP and FTP services that allows authenticated attackers to retrieve plaintext passwords of configured external services, facilitating network lateral movement and data exfiltration.
CVE-2024-51980 (CVSS score 5.3): A Server-Side Request Forgery (SSRF) vulnerability in Web Services over HTTP that allows unauthenticated attackers to force devices to open arbitrary TCP connections, potentially enabling network pivoting and internal resource access. The vulnerability impacts 707 models.
CVE-2024-51981 (CVSS score 5.3): A second SSRF vulnerability affecting Web Services over HTTP that enables unauthenticated attackers to force devices to perform arbitrary HTTP requests, effectively turning printers into proxies for network reconnaissance and attack activities. The vulnerability impacts 701 models.

The attack methodology begins with serial number disclosure through multiple available vectors. Attackers can obtain device serial numbers through CVE-2024-51977 via HTTP, HTTPS, or IPP services, or alternatively through direct PJL or SNMP queries that bypass the information leak vulnerability entirely. Once the serial number is obtained, attackers can apply the discovered algorithm to generate the device's default administrator password, gaining full administrative access if the password has not been manually changed from its default value.

Brother has released firmware updates that address seven of the eight vulnerabilities: CVE-2024-51977, CVE-2024-51979, CVE-2024-51980, CVE-2024-51981, CVE-2024-51982, CVE-2024-51983, and CVE-2024-51984. However, the critical authentication bypass vulnerability CVE-2024-51978 cannot be fully remediated through firmware updates due to its fundamental integration with the manufacturing process.

The recommended workaround for CVE-2024-51978 involves manually changing the default administrator password on all affected devices. The mitigation may be simple, it requires proper inventory management and ongoing discipline, as factory resets will restore the vulnerable default password.

Security teams are advised to review the device inventory and prioritize internet-facing printers and devices in sensitive network segments for patching and password resets. Ideally, printers should not be internet facing.

Vulnerabilities reported in Brother printers and other vendors, at least one critical

Read More
Critical Nginx UI Flaw Allows Unauthenticated Backup Theft …
Critical Docker Desktop flaw allows container escape and …
QNAP releases patches for two vulnerabilities, severity unclear. …
Critical XWiki vulnerability exploited in crypto mining malware …
CISA reports two old Oracle product flaws actively …