The recent disclosure of a critical vulnerability affecting millions of Brother printers, one that cannot be patched, has sparked serious concern among IT and security professionals. It’s a stark reminder that not every security flaw can be resolved through a software update or firmware fix.
For organizations relying on legacy or embedded systems, unpatchable vulnerabilities are not a theoretical concern. They are a persistent reality.
So, what do you do when you can’t patch? The answer lies in a multi-layered approach that combines technical, procedural, and strategic controls to contain and mitigate the risk.
Know What You’re Dealing With: Asset Inventory and Risk Profiling
The first step is understanding exactly what you’re dealing with. Organizations must have a clear, up-to-date inventory of all devices on the network, including peripherals like printers, scanners, and network-connected IoT devices. Too often, these devices fall through the cracks of traditional IT asset management, creating blind spots for security teams.
Once identified, each device should be assessed for its function, exposure, and risk profile. Devices that connect to sensitive systems or handle confidential data demand greater scrutiny than those with limited access.
Containment Through Segmentation
Once the vulnerable devices are identified, the next priority is to implement network segmentation. By isolating these endpoints from the broader network, typically by assigning them to a dedicated VLAN or subnet, organizations can dramatically reduce the risk of lateral movement should a compromise occur.
Communications to and from the device should be tightly controlled through firewalls and access control lists. Only the necessary protocols and ports should be open, and only to explicitly defined endpoints such as a print server or a few authorized clients.
Strengthen Devices with Compensating Controls
Even with isolation, compensating controls must be put in place. Many modern printers and embedded devices offer basic security features that are often disabled by default. Enabling authentication for users who wish to print, enforcing secure release mechanisms that require user presence, and disabling unnecessary services or ports can all reduce the attack surface.
For sensitive environments, restricting printing functionality entirely to virtual machines or print servers that serve as choke points can be an effective approach.
Monitor Like It Matters
Monitoring becomes especially critical when vulnerabilities cannot be patched. Print devices should not be treated as second-class citizens when it comes to logging and visibility. Network and device-level logs should be forwarded to a centralized SIEM, where anomalous behavior, such as unusually high volumes of print jobs, unexpected restarts, or communication with unfamiliar IP addresses, can trigger alerts and investigations.
These logs also serve as an invaluable resource during incident response, helping to identify the scope and origin of any compromise.
Operational Security: Physical and Administrative Safeguards
Operational controls also play a crucial role. Physical access to these devices should be strictly limited, particularly in public or semi-public areas where tampering is a potential concern.
Administrators should also routinely purge stored documents, cached credentials, and other sensitive data from these devices.
Firmware should be kept up to date, even if a patch for the vulnerability in question is not available, as other improvements may close related security gaps.
When to Retire: Strategic Risk Management
At a strategic level, organizations must face the question of risk tolerance. In many cases, the best long-term response to an unpatchable vulnerability is to retire and replace the affected device. This is especially true for devices no longer supported by the manufacturer, which are unlikely to receive any future security updates. While budget and operational constraints may limit immediate action, a phased replacement plan tied to lifecycle management can prevent future exposure.
Build Awareness: Train Your People
Lastly, communication and training are vital. Users must understand that peripherals, such as printers, are not immune to attack and should be treated as part of the broader security ecosystem. Policies around device usage, data handling, and reporting unusual activity must be reinforced regularly.
Final Thoughts: A Layered Defense is the Best Patch
Unpatchable vulnerabilities are not the end of the world, but they are a wake-up call. They challenge us to think beyond patches and adopt a more holistic security model, one that combines visibility, control, and risk-based decision-making. In the face of threats that can’t be fixed with a single update, our best defense is layered, deliberate, and proactive.
Take Control Before the Threat Takes Over
Unpatchable doesn’t mean unmanageable, but it does demand a proactive approach. If your organization is struggling with legacy systems, embedded devices, or other unpatchable vulnerabilities, now is the time to act. At MainNerve, we help organizations build resilient, layered defenses tailored to their risk landscape. From network segmentation to custom penetration testing and security strategy, we’ll help you secure what can’t be patched. Contact us today for a free consultation and take the first step toward a stronger, smarter defense.
