cbcvebase.
CVE-2024-51978
published 2025-06-25

CVE-2024-51978: An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
23.64%
97.5th percentile
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.

Detection & IOCsextracted from sources · hover to see the quote

path/etc/mnt_info.csv
path/general/status.html
cookieAuthCookie=
path/etc/passerror.html
commandPOST /general/status.html HTTP/1.1 Content-Type: application/x-www-form-urlencoded
yara
contains_all(body, 'Main Firmware Version','Model Name') && status_code == 200
  • Serial number is leaked unauthenticated from /etc/mnt_info.csv via HTTP GET; the serial number regex pattern is a 15-character alphanumeric string in quotes: '"(\w{15})"'
  • Serial number can also be leaked via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests — monitor for unauthenticated enumeration across these protocols against Brother devices
  • Successful exploitation is confirmed by a Set-Cookie header containing 'AuthCookie=' without a redirect to /etc/passerror.html after a POST to /general/status.html
  • Attack flow: (1) GET /etc/mnt_info.csv to extract serial number, (2) compute default password via SHA256+base64+character substitution algorithm using a hardcoded SALT_LOOKUP_TABLE and SALT_DATA_TABLE, (3) POST login credentials to /general/status.html
  • The eSCL/uscan protocol (CVE-2025-8452) can also be used to obtain the serial number to feed into this exploit; monitor for eSCL discovery requests on the local network
  • FOFA/ZoomEye fingerprint for identifying exposed Brother printer admin interfaces: app="brother-Printer" or device="brother-Printer"
  • The login form field name is extracted dynamically from id="LogBox" in /general/status.html; the POST body includes loginurl=/general/status.html and an optional CSRFToken parameter
  • ·Changing the default administrator password fully mitigates this vulnerability; the calculated default password would no longer be valid
  • ·The eSCL/uscan serial number leak vector (CVE-2025-8452) is typically only exposed on the local network, limiting remote exploitation via that specific vector

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.