Rapid7 conducted a zero-day research project into multifunction printers (MFP) from Brother Industries, Ltd., resulting in the discovery of 8 new vulnerabilities. These vulnerabilities were identified as affecting 748 models across 5 vendors, including Brother, FUJIFILM Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta. The most critical vulnerability, an authentication bypass, allowed remote attackers to obtain default administrator passwords.
The authentication bypass vulnerability, CVE-2024-51978, was found to be the most serious, enabling attackers to generate default administrator passwords for affected Brother devices. This was due to the discovery of the default password generation procedure used during the manufacturing process. Brother indicated that this vulnerability required changes to the manufacturing process for full remediation.
In addition to the authentication bypass vulnerability, Rapid7 identified 7 other vulnerabilities affecting various services such as HTTP, HTTPS, IPP, and Web Services over HTTP. These vulnerabilities ranged from information leaks to denial of service attacks, potentially impacting the availability and security of the devices.
Rapid7, in collaboration with JPCERT/CC, worked with Brother over a thirteen-month period to coordinate the disclosure of these vulnerabilities. The affected models required firmware updates and workarounds to mitigate the security risks posed by the vulnerabilities.
Mapping the vulnerabilities across the 748 affected models revealed the distribution of the number of impacted models for each CVE. Rapid7 served as the CVE Numbering Authority (CNA) for this disclosure, ensuring that all affected models were accounted for in the CVE records.
A detailed technical analysis of the vulnerabilities, along with proof of concept source code, was made available in Rapid7’s white paper. The vulnerabilities were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, and disclosed in accordance with Rapid7’s vulnerability disclosure policy.
Brother acknowledged Rapid7’s efforts in discovering the vulnerabilities and informed customers about the mitigation measures through vendor advisories. While most vulnerabilities were remediated via firmware updates, the authentication bypass vulnerability required a workaround due to limitations in firmware remediation.
The disclosure timeline outlined the communication and coordination efforts between Rapid7, Brother, and JPCERT/CC, leading to the public disclosure in June 2025. Users of affected models were advised to apply both firmware updates and workarounds to address all 8 vulnerabilities identified by Rapid7.
The collaboration between security researchers, vendors, and coordination authorities underscores the importance of proactive security measures and timely disclosure to protect users from potential cyber threats.
📰 Related Articles
- Xerox Versalink Printers Vulnerable to Hackers, Security Risks Identified
- Why Are 3D Printers Used for Making Ghost Guns a Growing Concern?
- Unlocking Word Connections: May 8 Puzzle Challenges Logic and Creativity
- US Army Considers 3D Printers for Battlefield Repairs
- Trainer Discovers Gym Client Became Pope: Unveiling Pontiff’s Secret