Overview
Update June 25, 2025: Update statistics to reflect an additional 6 affected models from Konica Minolta, Inc.
Rapid7 conducted a zero-day research project into multifunction printers (MFP) from
Brother Industries, Ltd. This research resulted in the discovery of
8 new vulnerabilities. Some or all of these vulnerabilities have been identified as affecting 689 models across Brother’s range of printer, scanner, and label maker devices. Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, 2 printer models from Toshiba Tec Corporation, and 6 models from Konica Minolta, Inc. are affected by some or all of these vulnerabilities. In total,
748 models across 5 vendors are affected. Rapid7, in conjunction with
JPCERT/CC, has worked with Brother over the last thirteen months to coordinate the disclosure of these vulnerabilities.
The most serious of the findings is the
authentication bypass CVE-2024-51978. A remote unauthenticated attacker can leak the target device's serial number through one of several means, and in turn generate the target device's default administrator password. This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process.
Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models. Only affected models that are made via this new manufacturing process will be fully remediated against
CVE-2024-51978. For all affected models made via the old manufacturing process, Brother has provided a workaround.
