Security researchers at Rapid7 have uncovered a series of eight significant vulnerabilities affecting a staggering 748 multifunction printer (MFP) models from Brother Industries, Fujifilm Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta, Inc.
The findings, published on June 25, 2025, highlight the risks associated with networked printing devices and the potential for attackers to bypass authentication, execute arbitrary HTTP requests, and even achieve remote code execution (RCE) on compromised devices.
The Scope and Nature of the Vulnerabilities
Rapid7’s investigation spanned thirteen months and involved close coordination with JPCERT/CC and all affected vendors.
The research identified 689 affected Brother models, alongside 46 from Fujifilm, 5 from Ricoh, 2 from Toshiba Tec, and 6 from Konica Minolta.
The most critical vulnerability, CVE-2024-51978, enables a remote, unauthenticated attacker to generate the default administrator password using a device’s serial number, which can be obtained via another flaw or through standard protocols such as Printer Job Language (PJL) or Simple Network Management Protocol (SNMP).
CVE-2024-51978 is particularly concerning because the default password generation process is hardcoded into the device’s firmware during manufacturing.
Brother has confirmed that this vulnerability cannot be fully remediated solely through firmware updates; instead, a change in the manufacturing process is required.
Devices manufactured under the new process will be immune, but all others will remain vulnerable unless the provided workarounds are implemented.
Technical Details and Exploit Potential
The vulnerabilities can be grouped into several categories, each with distinct technical implications:
- Authentication Bypass (CVE-2024-51978): As mentioned, this allows an attacker to generate the default admin password using the device’s serial number. The prerequisite for this attack is obtaining the serial number, which can be achieved via CVE-2024-51977 (information leak) or through PJL/SNMP queries.
- Information Leak (CVE-2024-51977): This vulnerability allows an unauthenticated attacker to leak sensitive information, including the device’s serial number, via HTTP, HTTPS, or IPP (Internet Printing Protocol) services.
- Stack-Based Buffer Overflow (CVE-2024-51979): An authenticated attacker can trigger a stack-based buffer overflow, potentially gaining control over the device’s CPU registers, including the Program Counter (PC), which is a critical step toward achieving RCE.
- Server-Side Request Forgery (SSRF) (CVE-2024-51980 and CVE-2024-51981): These flaws permit an unauthenticated attacker to force the device to open arbitrary TCP connections or perform arbitrary HTTP requests. This can be leveraged to pivot into internal networks if the printer’s web interface is exposed.
- Denial of Service (DoS) (CVE-2024-51982 and CVE-2024-51983): These vulnerabilities enable an unauthenticated attacker to crash the device via PJL or web services, resulting in complete device unavailability.
- Password Disclosure (CVE-2024-51984): An authenticated attacker can retrieve plaintext credentials for external services such as LDAP or FTP, potentially enabling further network compromise.
Impact and Attack Scenarios
The combination of these vulnerabilities can lead to severe consequences. For instance, an attacker can chain the authentication bypass (CVE-2024-51978) with the stack-based buffer overflow (CVE-2024-51979) to achieve unauthenticated RCE.
The SSRF vulnerabilities (CVE-2024-51980 and CVE-2024-51981) can be exploited to perform network reconnaissance or data exfiltration, particularly when the printer is configured as a bridge between network segments.
The DoS vulnerabilities (CVE-2024-51982 and CVE-2024-51983) can be exploited to disrupt business operations by repeatedly crashing affected devices.
The password disclosure vulnerability (CVE-2024-51984) enables attackers to gain additional credentials, allowing them to pivot deeper into the network and potentially access sensitive documents stored on FTP servers or other external services.
Remediation and Vendor Response
Brother and the other affected vendors have released firmware updates to address seven of the eight vulnerabilities. However, CVE-2024-51978 requires a manufacturing process change, and only devices produced under the new process will be fully remediated.
In the interim, users are advised to change default admin passwords, restrict network access to MFP management interfaces, and apply all available firmware updates.
Rapid7 has published a detailed technical analysis and proof-of-concept code in their white paper, “Print Scan Hacks: Identifying multiple vulnerabilities across multiple Brother devices.”
The company has also updated its vulnerability management tools to help customers assess their exposure to these flaws.
The discovery of these vulnerabilities underscores the importance of securing networked printing devices, which are often overlooked in enterprise security strategies.
Organizations using affected models should prioritize remediation efforts to prevent potential network compromise and ensure business continuity.
The coordinated disclosure process, involving Rapid7, JPCERT/CC, and multiple vendors, serves as a model for responsible vulnerability management in complex, multi-vendor environments.
