Published:2025/09/17  Last Updated:2025/09/17

JVNVU#93294882
Multiple Brother and its OEM products with weak initial administrator passwords

Overview

The factory-default configuration of multiple products provided by BROTHER INDUSTRIES, LTD and other OEM vendors contain weak initial administrator passwords, which can be derived from their serial numbers.

Products Affected

A wide range of products are affected.
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors in [Vendor Status].

Description

Multiple products provided by BROTHER INDUSTRIES, LTD and other OEM vendors are setup with weak initial administrator passwords, which can be derived from their serial numbers.
This is reported by Rapid7, and treated on JVNVU#90043828, CVE-2024-51978.
Brother states that
(1) serial numbers have been available without authentication by design, for system management purposes, and
(2) to fix CVE-2024-51978, the production-lines have been revised to introduce the initial passwords which are hard to derive from its serial numbers

After the publication of CVE-2024-51978, runZero reported that eSCL/uscan can be also used to retrieve serial numbers without authentication.
eSCL/uscan is not described in CVE-2024-51977, and considering the existence of CVE-2024-51978, Austin Hackers Anonymous assigns CVE-2025-8452.

Impact

If an affected product is deployed without changing the initial password, anyone with the knowledge how to derive the initial password from the serial number may access the product with the administrative privilege.

Solution

Change the administrator password from the initial one when deploying the product to the working environment.

Vendor Status

Vendor Status Last Update Vendor Notes
Brother Industries, Ltd. Vulnerable 2025/09/17 Brother Industries, Ltd. website
Konica Minolta, Inc. Vulnerable 2025/09/17 Konica Minolta, Inc. website
Toshiba Tec Corporation Vulnerable 2025/09/17 Toshiba Tec Corporation website

References

  1. AHA! Advisory | CVE-2025-8452
    Brother Printer Serial Number Disclosure
  2. runZero
    How to find Brother printer, scanner and label maker devices on your network
  3. JVNVU#90043828
    Multiple vulnerabilities in multiple BROTHER products

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

runZero reported this issue to the developer.
JPCERT/CC coordinated between the reporter and the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2025/09/17
Toshiba Tec Corporation update status