Published:2025/06/25  Last Updated:2025/06/25

JVNVU#90043828
Multiple vulnerabilities in multiple BROTHER products

Overview

Multiple BROTHER products provided by BROTHER INDUSTRIES, LTD contain multiple vulnerabilities.

Products Affected

A wide range of products are affected.
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors in [Vendor Status].

Description

Multiple BROTHER products provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below.

  • Exposure of sensitive system information to an unauthorized control sphere (CWE-497)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
    • CVE-2024-51977
  • Use of weak credentials (CWE-1391)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
    • CVE-2024-51978
  • Stack-based buffer overflow (CWE-121)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
    • CVE-2024-51979
  • Server-side request forgery (CWE-918)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
    • CVE-2024-51980, CVE-2024-51981
  • Improper handling of unexpected data type (CWE-241)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
    • CVE-2024-51982
  • Improper enforcement of behavioral workflow (CWE-841)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5 
    • CVE-2024-51983
  • Insufficiently protected credentials (CWE-522)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N Base Score 6.1
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Base Score 6.8
    • CVE-2024-51984

Impact

  • Sensitive information may be disclosed through unauthenticated access to the specific ports (CVE-2024-51977)
  • The affected device's initial password can be easily generated from the device-specific information (CVE-2024-51978)
  • A remote attacker with the administrative privilege may trigger a stack-based buffer overflow (CVE-2024-51979)
  • A remote unauthenticated attacker may force the affected device to send a HTTP request to an arbitrary endpoint (CVE-2024-51980, CVE-2024-51981)
  • A remote unauthenticated attacker may crash the affected device (CVE-2024-51982, CVE-2024-51983)
  • By reconfiguring the affected device, a remote attacker with the administrative privilege may force the device to disclose the password of the external service (CVE-2024-51984)

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the respective vendors in [Vendor Status].

Vendor Status

Vendor Status Last Update Vendor Notes
Brother Industries, Ltd. Vulnerable 2025/06/25 Brother Industries, Ltd. website
FUJIFILM Business Innovation Corp. Vulnerable 2025/06/25 FUJIFILM Business Innovation Corp. website
Konica Minolta, Inc. Vulnerable 2025/06/25 Konica Minolta, Inc. website
Ricoh Company, Ltd. Vulnerable 2025/06/25 Ricoh Company, Ltd. website
Toshiba Tec Corporation Vulnerable 2025/06/25 Toshiba Tec Corporation website

References

  1. Rapid7 Vulnerabilities and Exploits
    Multiple Brother Devices: Multiple Vulnerabilities (FIXED)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Stephen Fewer of Rapid7 reported this vulnerability to the developer.
JPCERT/CC coordinated between the reporter and the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2025/06/25
Information under the section [References] was updated