Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-51983

CVE-2024-51983: Web Services WS-Scan DOS Vulnerability

CVE-2024-51983 is a denial of service flaw in Web Services WS-Scan that allows unauthenticated attackers to crash devices repeatedly via malformed SOAP requests. This post covers technical details, impact, and mitigation.

Published:

CVE-2024-51983 Overview

CVE-2024-51983 is an unauthenticated denial-of-service vulnerability affecting multifunction printer and scanner devices from multiple vendors, including Brother, Fujifilm, Konica Minolta, Ricoh, and Toshiba Tec. An attacker who can reach the Web Services feature on HTTP TCP port 80 can send a WS-Scan SOAP request containing an unexpected JobToken value. Processing the malformed request crashes the target device, forcing a reboot. The attacker can then repeat the request to keep the device offline indefinitely. The flaw is tracked under CWE-1286: Improper Validation of Syntactic Correctness of Input.

Critical Impact

A single unauthenticated network request crashes the device, and repeated requests deny printing and scanning services indefinitely.

Affected Products

Discovery Timeline

  • 2025-06-25 - CVE-2024-51983 published to NVD alongside coordinated vendor advisories and the Rapid7 analysis
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-51983

Vulnerability Analysis

The vulnerability resides in how the embedded Web Services for Devices (WSD) stack parses incoming WS-Scan SOAP requests. The scan service accepts a JobToken element to identify an active scan job. When the parser receives a JobToken value that does not match expected syntax, the firmware fails to validate the input and enters an unrecoverable error state. This terminates the device's main control process and triggers a watchdog reboot.

Because the WS-Scan endpoint listens on HTTP TCP port 80 without authentication, any host on the same network segment can deliver the malformed request. The attack requires no credentials, no user interaction, and no prior knowledge of the device beyond its IP address. The impact is purely availability; confidentiality and integrity are not affected.

Root Cause

The root cause is improper validation of the syntactic correctness of input [CWE-1286]. The SOAP handler trusts the structure of the JobToken field and dereferences or processes it without first confirming the value conforms to the expected token format. Malformed input causes the service, and ultimately the firmware, to crash.

Attack Vector

The attacker sends a crafted HTTP POST to the WS-Scan SOAP endpoint over TCP port 80. The SOAP body contains a valid ScanAvailableEvent or related WS-Scan operation, but the JobToken element carries an unexpected value. The device parses the request, crashes, and reboots. The attacker resends the request after each reboot to maintain a persistent outage. Full technical details are documented in the Rapid7 Vulnerability Disclosure Whitepaper and the GitHub Brother Vulnerabilities repository.

No verified public exploit code is included in this advisory. Refer to the references above for proof-of-concept details.

Detection Methods for CVE-2024-51983

Indicators of Compromise

  • Unexpected reboots of multifunction printers or scanners shortly after receiving inbound HTTP traffic on port 80
  • Inbound HTTP POST requests to WS-Scan SOAP endpoints (commonly /wsd/scan or /StableWSDiscoveryEndpoint) from non-management hosts
  • SOAP envelopes containing JobToken elements with malformed, oversized, or non-conforming values
  • Repeated short-interval connections to TCP port 80 on printer subnets followed by ICMP loss

Detection Strategies

  • Inspect HTTP traffic to printer VLANs for SOAP requests targeting WS-Scan actions, and flag requests whose JobToken does not match the expected token grammar
  • Correlate device availability monitoring (SNMP, ICMP) with inbound HTTP traffic to detect crash-and-reboot patterns
  • Alert on any unauthenticated HTTP traffic to printer port 80 originating from user endpoints rather than print servers

Monitoring Recommendations

  • Enable network flow logging for printer and MFP subnets and forward logs to a SIEM for correlation
  • Track device uptime metrics and generate alerts when reboot frequency exceeds an established baseline
  • Monitor firmware versions across the fleet and verify that all devices match the vendor-supplied patched build

How to Mitigate CVE-2024-51983

Immediate Actions Required

  • Apply the firmware updates published by Brother, Fujifilm, Konica Minolta, Ricoh, and Toshiba Tec for affected models
  • Restrict access to TCP port 80 on printer and MFP devices to authorized print servers and management hosts using network ACLs or host-based firewalls
  • Disable the Web Services scan feature on devices that do not require WSD scanning
  • Inventory all networked printers and scanners to confirm exposure status and patch coverage

Patch Information

Vendors have released firmware updates that correct the input validation flaw in the WS-Scan SOAP handler. Patch availability and version numbers are listed in the vendor advisories referenced above, including the Brother support FAQs, Konica Minolta advisory, and Ricoh advisory. Administrators should validate the firmware version after the update by checking the device's web management page.

Workarounds

  • Block inbound TCP port 80 to printer devices from untrusted networks at the perimeter and at internal segmentation points
  • Place printers on dedicated VLANs and permit only print servers and administrators to reach them
  • Disable Web Services for Devices (WSD) and the scan service on devices where the functionality is unused
  • Where supported, bind the WS-Scan service to a management interface unreachable from general user networks
bash
# Example: restrict access to printer HTTP service using iptables on a Linux gateway
# Allow only the print server (10.0.10.5) to reach printer subnet 10.0.50.0/24 on TCP/80
iptables -A FORWARD -p tcp -s 10.0.10.5 -d 10.0.50.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.50.0/24 --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne