Multiple Brother Device Vulnerabilities Allow Attackers to Execute Arbitrary HTTP Requests

A zero-day research project has uncovered eight new vulnerabilities in multifunction printers (MFPs) and related devices from Brother Industries, Ltd., affecting a staggering 748 models across five major vendors, including Brother, FUJIFILM Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta, Inc.

This extensive impact, detailed in a coordinated release with JPCERT/CC after over a year of collaboration, highlights critical security flaws that could allow attackers to execute arbitrary HTTP requests, bypass authentication, and potentially achieve remote code execution (RCE).

The most severe of these vulnerabilities, CVE-2024-51978, rated at a CVSS score of 9.8 (Critical), enables an unauthenticated remote attacker to generate a device’s default administrator password by exploiting a predictable transformation of the device’s serial number, set during manufacturing.

Brother has acknowledged that this flaw cannot be fully remediated via firmware updates, necessitating a manufacturing process overhaul for new units ...