|
[Japanese]
|
JVNDB-2025-014081
|
Multiple Brother and its OEM products with weak initial administrator passwords
|
|
Multiple products provided by BROTHER INDUSTRIES, LTD and other OEM vendors are setup with weak initial administrator passwords, which can be derived from their serial numbers.
This is reported by Rapid7, and treated on JVNVU#90043828, CVE-2024-51978.
Brother states that
(1) serial numbers have been available without authentication by design, for system management purposes, and
(2) to fix CVE-2024-51978, the production-lines have been revised to introduce the initial passwords which are hard to derive from its serial numbers
After the publication of CVE-2024-51978, runZero reported that eSCL/uscan can be also used to retrieve serial numbers without authentication.
eSCL/uscan is not described in CVE-2024-51977, and considering the existence of CVE-2024-51978, Austin Hackers Anonymous assigns CVE-2025-8452.
runZero reported this issue to the developer.
JPCERT/CC coordinated between the reporter and the developer.
|
|
|
|
|
KONICA MINOLTA, INC.
Brother Industries
TOSHIBA TEC
|
A wide range of products are affected.
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors in [Vendor Status].
|
|
If an affected product is deployed without changing the initial password, anyone with the knowledge how to derive the initial password from the serial number may access the product with the administrative privilege.
|
|
Change the administrator password from the initial one when deploying the product to the working environment.
|
|
KONICA MINOLTA, INC.
Brother Industries
TOSHIBA TEC
|
|
|
|
- CVE-2025-8452
|
|
- JVN : JVNVU#93294882
- JVN : JVNVU#90043828
- Related Information : Brother Printer Serial Number Disclosure
- Related Information : How to find Brother printer, scanner and label maker devices on your network
|
|
- [2025/09/19]
Web page was published
|
