CVE-2024-51978
published 2025-06-25CVE-2024-51978: An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
23.64%
97.5th percentile
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
contains_all(body, 'Main Firmware Version','Model Name') && status_code == 200
- →Serial number is leaked unauthenticated from /etc/mnt_info.csv via HTTP GET; the serial number regex pattern is a 15-character alphanumeric string in quotes: '"(\w{15})"' ↗
- →Serial number can also be leaked via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests — monitor for unauthenticated enumeration across these protocols against Brother devices ↗
- →Successful exploitation is confirmed by a Set-Cookie header containing 'AuthCookie=' without a redirect to /etc/passerror.html after a POST to /general/status.html ↗
- →Attack flow: (1) GET /etc/mnt_info.csv to extract serial number, (2) compute default password via SHA256+base64+character substitution algorithm using a hardcoded SALT_LOOKUP_TABLE and SALT_DATA_TABLE, (3) POST login credentials to /general/status.html ↗
- →The eSCL/uscan protocol (CVE-2025-8452) can also be used to obtain the serial number to feed into this exploit; monitor for eSCL discovery requests on the local network ↗
- →FOFA/ZoomEye fingerprint for identifying exposed Brother printer admin interfaces: app="brother-Printer" or device="brother-Printer" ↗
- →The login form field name is extracted dynamically from id="LogBox" in /general/status.html; the POST body includes loginurl=/general/status.html and an optional CSRFToken parameter ↗
- ·Changing the default administrator password fully mitigates this vulnerability; the calculated default password would no longer be valid ↗
- ·The eSCL/uscan serial number leak vector (CVE-2025-8452) is typically only exposed on the local network, limiting remote exploitation via that specific vector ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7q89-r4x7-5664: By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement
ghsa_unreviewed·2025-08-12·CVSS 5.3
CVE-2025-8452 [MEDIUM] CWE-538 GHSA-7q89-r4x7-5664: By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement
By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless,
GHSA
GHSA-2mr3-j246-x7x3: An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device
ghsa_unreviewed·2025-06-26·CVSS 5.3
CVE-2024-51978 [MEDIUM] CWE-1391 GHSA-2mr3-j246-x7x3: An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.
VulnCheck
Use of Weak Credentials
vulncheck·2024·CVSS 5.3
CVE-2024-51978 [MEDIUM] Use of Weak Credentials
Use of Weak Credentials
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.
Affected: Brother Industries, Ltd./FUJIFILM Business Innovation/Ricoh/Toshiba Tec/Konica Minolta, Inc. Multiple Printer Devices
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-51978
Exploit PoC: https://vulncheck.com/xdb/20e9ac05cdf5
No detection rules found.
Metasploit
Multiple Brother devices authentication bypass via default administrator password generation
metasploit
Multiple Brother devices authentication bypass via default administrator password generation
Multiple Brother devices authentication bypass via default administrator password generation
By leaking a target devices serial number, a remote attacker can generate the target devices default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
Nuclei
Brother Printers – Authentication Bypass via Default Admin Password
nuclei·CVSS 9.8
CVE-2024-51978 [CRITICAL] Brother Printers – Authentication Bypass via Default Admin Password
Brother Printers – Authentication Bypass via Default Admin Password
By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
Template:
id: CVE-2024-51978
info:
name: Brother Printers – Authentication Bypass via Default Admin Password
author: iamnoooob,pdresearch,MathematicianGoat
severity: critical
description: |
By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
impact: |
Attackers can exploit this vulnerability to compromise system
Bleepingcomputer
Brother printer bug in 689 models exposes default admin passwords
blogs_bleepingcomputer·2025-06-26·CVSS 5.3
CVE-2024-51978 [MEDIUM] Brother printer bug in 689 models exposes default admin passwords
## Brother printer bug in 689 models exposes default admin passwords
## Bill Toulas
A total of 689 printer models from Brother, along with 53 other models from Fujifilm, Toshiba, and Konica Minolta, come with a default administrator password that remote attackers can generate. Even worse, there is no way to fix the flaw via firmware in existing printers.
The flaw, tracked under CVE-2024-51978 , is part of a set of eight vulnerabilities discovered by Rapid7 researchers during a lengthy examination of Brother hardware.
CVE-2024-51977
An unauthenticated attacker can leak sensitive information.
HTTP (Port 80), HTTPS (Port 443), IPP (Port 631)
5.3 (Medium)
CVE-2024-51978
An unauthenticated attacker can generate the device's default administrator password.
HTTP (Port 80), HTTPS (Port 4
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdfhttps://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-51978.yamlhttps://github.com/rapid7/metasploit-framework/pull/20349https://github.com/sfewer-r7/BrotherVulnerabilitieshttps://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100846_000https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100848_000https://support.brother.com/g/b/link.aspx?prod=lmgroup1&faqid=faqp00100620_000https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdfhttps://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixedhttps://www.toshibatec.com/information/20250625_02.htmlhttps://www.bleepingcomputer.com/news/security/brother-printer-bug-in-689-models-exposes-default-admin-passwords/https://www.darkreading.com/endpoint-security/millions-brother-printers-critical-unpatchable-bughttps://www.securityweek.com/new-vulnerabilities-expose-millions-of-brother-printers-to-hacking/https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf
2025-06-25
Published
Exploited in the wild