Critical Brother printer bugs could give attackers full control

A new set of security vulnerabilities could allow attackers to access and control Brother printers and multifunction devices. The flaws impact hundreds of models and, if left unpatched or misconfigured, could lead to data theft, device compromise, and further attacks on internal networks.

Field Effect is actively tracking these vulnerabilities and advising organizations to patch and secure affected devices without delay.

What’s going on?

Researchers discovered multiple vulnerabilities that can be chained together for full access to affected devices. The most serious issues involve:

• Default admin passwords generated from each device’s serial number
• The ability to leak that serial number without authentication
• Remote code execution through a buffer overflow
• Denial-of-service and internal network scanning via SSRF

The first listed issue is especially concerning as devices ship with a default admin password based on the serial number. An attacker can extract the serial number using unauthenticated requests to services like HTTP, SNMP, or IPP. From there, the default password can be calculated and used to log in.

The attack chain

This attack chain involves:

• CVE-2024-51977: Leaks the serial number
• CVE-2024-51978: Allows password generation
• CVE-2024-51979: Buffer overflow enables code execution
• CVE-2024-51980 to CVE-2024-51984: Include denial-of-service, SSRF, and other risks

Once inside the admin panel, an attacker could crash the device, exfiltrate credentials, or use the printer to pivot further into the network.

Who’s affected?

According to the researchers, over 680 Brother models are impacted, along with some devices from other vendors. The full list of affected models and firmware updates is available in Brother’s official bulletin.

While not every device has every vulnerability, all affected models include at least one issue that could lead to compromise.

Brother has acknowledged that the default password issue is tied to how the devices were originally designed. As a result, it can’t be fully fixed with a firmware update and would require changes at the manufacturing level.

What to do

1. Change default passwords: If your printer still uses its original admin password, change it now. This stops the most critical exploit path.
2. Apply firmware updates: Brother has released patches for most models. Use their firmware download page to search by model and install the latest version.
3. Turn off unused services: Disable protocols like WSD, SNMP, and TFTP if you don’t need them. This reduces the attack surface and blocks common entry points.
4. Restrict network access: Don’t expose printers to the public internet. Place them behind firewalls, and allow access only from trusted internal systems.
5. Monitor Printer behavior: Watch for signs of compromise, including unexpected traffic or device restarts. Log printer activity alongside other endpoints.

Our perspective

These vulnerabilities highlight a recurring theme in cybersecurity: overlooked devices can become high-value targets. Printers often store credentials, expose services, and lack proper monitoring. Once compromised, they can be used to move laterally or steal data.

While the disclosure was coordinated and patches are available, one flaw remains baked into the firmware and can’t be fully fixed. That makes password hygiene and access controls even more important.

We recommend reviewing your printer fleet, applying all available updates, and locking down any remaining exposure. These steps are simple but essential.

Field Effect will continue to monitor for real-world exploitation and share any updates as the situation evolves.