Hundreds of Brother printer models have an unpatchable security flaw

Serious security flaws have been found in hundreds of Brother printer models that could allow attackers to remotely access devices that are still using default passwords. Eight new vulnerabilities, one of which cannot be fixed by patching the firmware, were discovered in 689 kinds of Brother home and enterprise printers by security company Rapid7.

The flaws also impact 59 printer models from Fujifilm, Toshiba, Ricoh, and Konica Minolta, but not every vulnerability is found on every printer model. If you own a Brother printer, you can check to see if your model is affected here.

The most serious security flaw, tracked under CVE-2024-51978 in the National Vulnerability Database, has a 9.8 “Critical” CVSS rating and allows attackers to generate the device’s default admin password if they know the serial number of the printer they’re targeting. This allows attackers to exploit the other seven vulnerabilities discovered by Rapid7, which include retrieving sensitive information, crashing the device, opening TCP connections, performing arbitrary HTTP requests, and exposing passwords for connected network services.

While seven of these security flaws can be fixed via firmware updates detailed in Rapid7’s report, Brother indicated to the company that CVE-2024-51978 itself “cannot be fully remediated in firmware,” and will be fixed via a change to the manufacturing process for future versions of affected printer models. For current models, Brother recommends that users change the default admin password for their printer via the device’s Web-Based Management menu

Changing default manufacturing passwords is something we should all be doing when we take a new device home anyway, and these printer vulnerabilities are a good example as to why.