Security researchers have discovered a critical vulnerability affecting hundreds of Brother printer models that cannot be fixed through software updates, leaving millions of devices potentially exposed to remote attacks.
The flaw, disclosed June 25 by cybersecurity firm Rapid7, allows attackers to generate default administrator passwords for 689 Brother printer, scanner and label maker models, plus 59 additional devices from Fujifilm, Toshiba, Ricoh and Konica Minolta. The vulnerability, tracked as CVE-2024-51978, carries a 9.8 "Critical" severity rating on the industry-standard CVSS scale.
The security hole stems from Brother's password generation algorithm used during manufacturing, which creates default passwords based on each device's serial number through an easily reversible process12. Attackers who obtain a printer's serial number—which can be leaked through a separate vulnerability—can reconstruct the factory-set administrator password and gain full control of the device34.
"Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models," Rapid7 explained in its disclosure2. The company told ZDNet that only devices manufactured after the fix was implemented will be fully protected5.
The authentication bypass can be chained with seven other vulnerabilities Rapid7 discovered, allowing attackers to retrieve sensitive information, crash devices, open network connections, perform HTTP requests and steal passwords for connected services67. One flaw enables remote code execution, while another can expose credentials for external services like LDAP and FTP servers18.
Brother has released firmware updates addressing seven of the eight vulnerabilities, but the password generation flaw requires user intervention12. The company recommends all users immediately change their default administrator passwords through the printer's web-based management interface.
According to Engadget, users can check if their specific model is affected by consulting Brother's published list of vulnerable devices1. The company has indicated it will address the underlying issue in future manufacturing processes, though this provides no protection for existing devices34.
The vulnerabilities affect both home and enterprise environments, with researchers noting that millions of printers could be at risk12. The flaws impact devices across multiple manufacturers due to Brother's position in the supply chain, highlighting how security issues can ripple through interconnected technology ecosystems23.
Rapid7 began its disclosure process in May 2024, working with Japan's JPCERT Coordination Center to coordinate responses from all affected manufacturers43. The research underscores ongoing challenges with Internet of Things device security, particularly for equipment that users rarely consider updating or securing beyond initial installation.
