[Japanese]

JVNDB-2025-007519

Multiple vulnerabilities in multiple BROTHER products

Overview

Multiple BROTHER products provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below.

* Exposure of sensitive system information to an unauthorized control sphere (CWE-497) - CVE-2024-51977
* Use of weak credentials (CWE-1391) - CVE-2024-51978
* Stack-based buffer overflow (CWE-121) - CVE-2024-51979
* Server-side request forgery (CWE-918) - CVE-2024-51980, CVE-2024-51981
* Improper handling of unexpected data type (CWE-241) - CVE-2024-51982
* Improper enforcement of behavioral workflow (CWE-841) - CVE-2024-51983
* Insufficiently protected credentials (CWE-522) - CVE-2024-51984

Stephen Fewer of Rapid7 reported this vulnerability to the developer.
JPCERT/CC coordinated between the reporter and the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-51978

CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-51977

CVSS V3 Severity:
Base Metrics7.2 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-51979

CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-51980, CVE-2024-51981

CVSS V3 Severity:
Base Metrics7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-51982

CVSS V3 Severity:
Base Metrics7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-51983

CVSS V3 Severity:
Base Metrics6.8 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-51984
Affected Products


(Multiple Venders)
  • (Multiple Products)

A wide range of products are affected.
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors in [Vendor Status].
Impact

* Sensitive information may be disclosed through unauthenticated access to the specific ports (CVE-2024-51977)
* The affected device's initial password can be easily generated from the device-specific information (CVE-2024-51978)
* A remote attacker with the administrative privilege may trigger a stack-based buffer overflow (CVE-2024-51979)
* A remote unauthenticated attacker may force the affected device to send a HTTP request to an arbitrary endpoint (CVE-2024-51980, CVE-2024-51981)
* A remote unauthenticated attacker may crash the affected device (CVE-2024-51982, CVE-2024-51983)
* By reconfiguring the affected device, a remote attacker with the administrative privilege may force the device to disclose the password of the external service (CVE-2024-51984)
Solution

[Update the firmware]
Apply the appropriate firmware update according to the information provided by the respective vendors in [Vendor Status].
Vendor Information

KONICA MINOLTA, INC. Brother Industries Ricoh Co., Ltd TOSHIBA TEC FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Use of Weak Credentials(CWE-1391) [Other]
  3. Improper Handling of Unexpected Data Type(CWE-241) [Other]
  4. Exposure of Sensitive System Information to an Unauthorized Control Sphere(CWE-497) [Other]
  5. Insufficiently Protected Credentials(CWE-522) [Other]
  6. Improper Enforcement of Behavioral Workflow(CWE-841) [Other]
  7. Server-Side Request Forgery (SSRF)(CWE-918) [Other]
CVE (What is CVE?)

  1. CVE-2024-51977
  2. CVE-2024-51978
  3. CVE-2024-51979
  4. CVE-2024-51980
  5. CVE-2024-51981
  6. CVE-2024-51982
  7. CVE-2024-51983
  8. CVE-2024-51984
References

  1. JVN : JVNVU#90043828
  2. Related document : Multiple Brother Devices: Multiple Vulnerabilities (FIXED)
Revision History

  • [2025/06/26]
      Web page was published

Date Public2025/06/25
Date First Published2025/06/26
Date Last Updated2025/06/26