Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Fujifilm, Ricoh, and Toshiba models were all impacted as well, with the worst flaw allowing a malicious actor to extract admin passwords.
Security researchers, working with a major printer manufacturer, have uncovered a raft of new vulnerabilities in hundreds of printer models made by four different vendors.
Working with Brother and Japan’s JPCERT Coordination Center, researchers at Rapid7 were able to discover eight vulnerabilities across 689 models of Brother multifunction printers.
In addition, 46 Fujifilm Business Innovation devices, five Ricoh models, and two made by Toshiba Tec Corporation are subject to some or all of these vulnerabilities.
“The most serious of the findings is the authentication bypass CVE-2024-51978. A remote unauthenticated attacker can leak the target device’s serial number through one of several means, and in turn generate the target device’s default administrator password,” Rapid7 said in a 25 June blog post.
“This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device’s unique serial number, during the manufacturing process.”
Unfortunately, this vulnerability cannot be addressed by a firmware update, since the issue is due in part to Brother’s manufacturing process. Brother will be initiating a new manufacturing process to produce printers without this flaw, and it has provided a workaround for older devices.
“Brother would like to thank Rapid7 for their efforts in discovering the issues,” a Brother spokesperson said.
Here’s a full list of the vulnerabilities recently disclosed:
“Rapid7, acting as the CVE Numbering Authority (CNA) in this disclosure, has populated all eight CVE records with information for every known affected model,” Rapid7 said.
In addition, Brother has published three advisories regarding the disclosure:
Rapid7’s Stephen Fewer discovered the vulnerabilities during a zero-day research project based on Brother's MFC-L9570CDW device. Brother initially contacted Rapid7 regarding the vulnerabilities in May 2024. In July of the same year, JPCERT/CC got involved in the disclosure process on Brother’s behalf. Over the next 11 months, Rapid7, Brother, and JPCERT/CC worked together to remediate the issues and verify the fixes provided, with final confirmation of the fixes made in March 2025.
An updated list of models impacted by the vulnerabilities was provided to Rapid7 by JPCERT/CC on 2 June, with the final public disclosure made on 25 June – a date broadly agreed upon back in August 2024.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
