Cybersecurity researchers at Rapid7 have uncovered eight critical vulnerabilities affecting nearly 750 printer models from Brother, Fujifilm, Ricoh, Toshiba Tec and Konica Minolta, with one vulnerability deemed unpatchable in existing Brother devices.

The most serious of the flaws allows a remote attacker to derive a Brother printer’s default administrator password using the device’s serial number.

With this, hackers could access sensitive information, change settings, or trigger further exploits.

As the default password is generated from the serial number during manufacturing, Brother has confirmed this flaw cannot be fixed via firmware, only mitigated through a manual password change or a redesigned manufacturing process.

In total, 689 Brother printers, including inkjet, laser, scanner and label models, are affected. An additional 59 models from Fujifilm Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta are also impacted.

The vulnerabilities were responsibly disclosed after a 13-month coordination effort with vendors and Japan’s national computer security incident response team, JPCERT/CC.

According to Rapid7, seven of the eight flaws can be resolved through firmware updates. These include buffer overflows, denial-of-service bugs, and weaknesses allowing attackers to crash devices, hijack connections, or access LDAP/FTP credentials.

Brother has issued firmware patches for the seven fixable flaws and a workaround for one remaining issue.

Users have been advised to update their devices and immediately change any default admin passwords, especially if their device has internet exposure or remains in its factory configuration.

Rapid7 also revealed that over 5,700 vulnerable Brother printers were found exposed online during its testing phase earlier this year.

Users can check if their model is affected via advisories on Brother’s website. Firmware updates for other vendors are also available.