CVSS: 6.8EPSS: 0%CPEs: 690EXPL: 1CVE-2024-51984 – Authenticated disclosure of external service passwords via pass-back attack affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51984
25 Jun 2025 — An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 666EXPL: 1CVE-2024-51983 – Unauthenticated Denial of Service (DoS) via malformed WS-Scan request affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51983
25 Jun 2025 — An unauthenticated attacker who can connect to the Web Services feature (HTTP TCP port 80) can issue a WS-Scan SOAP request containing an unexpected JobToken value which will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 10.0EPSS: 71%CPEs: 695EXPL: 2CVE-2024-51978 – Authentication bypass via default password generation affecting multiple models from Brother Industries, Ltd, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51978
25 Jun 2025 — An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-1391: Use of Weak Credentials •