Oh Brother! Unfixable Printer Bug Exposes Admin Passwords On 748 Models

It is not a good time to be a network administrator, especially for businesses with Brother printers. Security researchers published a laundry list of vulnerabilities affecting a total of 748 printer models, most of them (and the worst of them) affecting Brother gear, with a tally of 689 models. There are a total of eight vulnerabilities, and six of those affect most every model in the 700+ count.

The set of vulnerabilities found by Rapid7 cover common types of network-related security issues, but the big one is CVE-2024-51978, granting an attacker access to the printer's administrator credentials. In a tale that sounds like it's out of the early 2000s, the default administrator password for many printers, across multiple OEMs, isn't random. Whichever engineer had the assignment failed Security 101 and made the default password a calculated variation of the printer's serial number.

Said calculation can be trivially reproduced by an attacker to gain full control of the device. If this mishap sounds familiar, you're probably thinking of the good ol' days when you could get into most any router by Thomson et al, as its Wi-Fi password was derived from the network name. Some might say I did that a couple or three times for free Wi-Fi on vacation, though I refuse to elaborate without his lawyer present.

Now, to do the exploit above, you do need the printer's serial number that's on the back of the printer, as well as on a text (CSV) file that's conveniently accessible via the network, with no authentication required. This is vulnerability CVE-2024-51977, and it too covers printers from multiple OEMs. If that wasn't bad enough, CVE-2024-51979 states that you can make a malformed network request to one of various HTTP-based services on the printers, and you get to execute any code you want on the device. Coupled with the two previous vulnerabilities, the end result is that any remote attacker can run any code on the printer in question.


If you're wondering why this is a big deal other than an attacker using up your toner and paper, consider that a hacked printer can be used as a launch pad for any other number of attacks on a target network, all without anyone being the wiser. After all, a printer is a device that generally doesn't get much attention from security boffins, given that most security concerns relate to computers, routers, and miscellaneous networking equipment.

The vulnerabilities were originally disclosed to manufacturers in 2024, and they're providing firmware updates now. However, Brother already came out and said that the administrator password problem is unfixable with a firmware update and recommends that network administrators alter the default password to one of their choosing, something that arguably should always be done from the get-go in a managed environment.

The rest of the vulnerabilities are fixable with a firmware update, but in case your printer model isn't listed, temporary mitigations mostly revolve around disabling WSD (Web Services for Devices), TFTP, and a couple other similar operations. Reports of printers spewing out sheet after sheet filled with "all work and no play makes Jack a dull boy" are as of yet unconfirmed.