CVE-2024-51978
Published: 25 June 2025
Summary
CVE-2024-51978 is a critical-severity Use of Weak Credentials (CWE-1391) vulnerability in Brother (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2024-51978 allows an unauthenticated attacker to generate the default administrator password on affected devices simply by knowing the target serial number. It is tracked under CWE-1391 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction. The issue impacts Brother devices that rely on predictable default credentials derived from serial numbers.
An attacker can first obtain the serial number through the related flaw CVE-2024-51977 over HTTP, HTTPS, or IPP, or by sending PJL or SNMP requests, then compute the corresponding default administrator password to achieve full administrative access.
Vendor advisories and a detailed disclosure whitepaper hosted by Brother outline mitigation steps, while public references include a Nuclei detection template and a Metasploit module that demonstrate the issue.
The EPSS score has reached 0.5360 with matching peak value, and multiple public exploit implementations have been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54698
Vulnerability details
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or…
more
via an SNMP request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.