Critical vulnerability found in hundreds of Brother printers, one of which cannot be fixed

Cybersecurity researchers have discovered eight new vulnerabilities in 689 models of Brother home and business printers, including a critical one that cannot be fixed through a firmware update, security firm Rapid7 reports, writes The Verge.

The most serious vulnerability, classified as CVE-2024-51978 with a CVSS rating of 9.8 "Critical", allows an attacker who knows the printer's serial number to recreate the factory administrator password. After all, in the specified Brother printers, the default password corresponds to the unique serial number of each device. This opens the attacker access to seven other vulnerabilities discovered by Rapid7, which allows:

• Get configurations and credentials;
• Remotely reboot or disable the device;
• Open inappropriate TCP connections;
• Perform arbitrary HTTP requests through the printer's web interface;
• Reveal passwords for related network services.

According to Brother, seven of these vulnerabilities will be fixed through future firmware updates, but CVE-2024-51978 "cannot be completely eliminated through an update." The company plans to change its manufacturing process so that future models will not ship with a default factory password.

Brother is currently advising all users of affected models to change the default administrator password via the printer's web management interface as an immediate security measure.

Rapid7 also reports that related, but less common, vulnerabilities affect 59 printer models from Fujifilm, Toshiba, Ricoh, and Konica Minolta. However, not all vulnerabilities are present in all models.

Brother has published a list of affected printers and detailed instructions for changing factory passwords on its support portal.