CVE-2026-27174
📋 TL;DR
CVE-2026-27174 allows unauthenticated attackers to execute arbitrary PHP code on MajorDoMo home automation systems via the admin panel's PHP console. This critical vulnerability affects all MajorDoMo installations with the vulnerable code path, enabling complete system compromise. Attackers can gain full control of affected systems without any authentication.
💻 Affected Systems
- MajorDoMo (Major Domestic Module)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, installation of persistent backdoors, data theft, lateral movement to other systems, and use as a botnet node.
Likely Case
Remote code execution leading to system compromise, data exfiltration, and potential ransomware deployment.
If Mitigated
Limited impact if system is isolated behind strict network controls and has no sensitive data.
🎯 Exploit Status
Exploitation requires only a crafted HTTP GET request with specific parameters. Public exploit code and detailed analysis are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version with pull request #1177 applied
Vendor Advisory: https://github.com/sergejey/majordomo/pull/1177
Restart Required: No
Instructions:
1. Update to the latest MajorDoMo version from the official repository. 2. Apply the fix from pull request #1177 which adds proper exit() calls and authentication checks. 3. Verify the patch is applied by checking modules/panel.class.php and inc_panel_ajax.php.
🔧 Temporary Workarounds
Disable Admin Panel Access
allBlock access to the vulnerable admin.php endpoint
# Apache: RewriteEngine On
RewriteRule ^admin\.php$ - [F,L]
# Nginx: location ~ ^/admin\.php$ { deny all; }
Disable register_globals
allDisable PHP register_globals in php.ini configuration
# Edit php.ini and set: register_globals = Off
# Restart web server after change
🧯 If You Can't Patch
- Implement strict network access controls to block external access to the MajorDoMo web interface
- Deploy a web application firewall (WAF) with rules to block requests containing eval() or PHP execution patterns
🔍 How to Verify
Check if Vulnerable:
Check if admin.php is accessible and if the code in modules/panel.class.php lacks proper exit() calls after redirect() functions.Check Version:
# Check MajorDoMo version in configuration files or via web interfaceVerify Fix Applied:
Verify that inc_panel_ajax.php now includes authentication checks and that panel.class.php has exit() statements after redirect() calls.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /admin.php with ajax_panel, op, and command parameters
- Unusual PHP execution errors or eval() calls in web server logs
Network Indicators:
- HTTP requests containing 'eval(' or PHP code patterns in query parameters
- Unusual outbound connections from MajorDoMo server
SIEM Query:
source="web_server" AND url="/admin.php" AND (query="*ajax_panel*" OR query="*command=*" OR query="*op=*")