CVE-2026-27180
📋 TL;DR
CVE-2026-27180 allows unauthenticated attackers to execute arbitrary code on MajorDoMo systems by poisoning the update URL. Attackers can deploy webshells or other malicious PHP files to the webroot with just two GET requests. All MajorDoMo installations with the vulnerable saverestore module are affected.
💻 Affected Systems
- MajorDoMo (Major Domestic Module)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining persistent access, deploying ransomware, stealing sensitive data, and using the system as a pivot point for lateral movement.
Likely Case
Deployment of webshells leading to data exfiltration, cryptocurrency mining, or participation in botnets.
If Mitigated
Limited impact if network segmentation prevents external access to vulnerable endpoints or if web application firewalls block malicious requests.
🎯 Exploit Status
Exploitation requires only two GET requests and an attacker-controlled server. The vulnerability is trivial to exploit with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub pull request #1177 for specific version
Vendor Advisory: https://github.com/sergejey/majordomo/pull/1177
Restart Required: No
Instructions:
1. Update to the latest MajorDoMo version from the official repository. 2. Apply the patch from GitHub pull request #1177 which fixes authentication checks in the saverestore module. 3. Verify that the /objects/?module=saverestore endpoint now requires proper authentication.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allBlock access to the saverestore module endpoint using web server configuration or firewall rules.
# Apache: RewriteRule ^/objects/\?module=saverestore - [F,L]
# Nginx: location ~* /objects/\?module=saverestore { return 403; }
Disable Auto-Update Feature
linuxDisable the auto-update functionality in MajorDoMo configuration to prevent URL poisoning.
# Edit MajorDoMo configuration to set auto_update = 0
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the MajorDoMo web interface to trusted IP addresses only.
- Deploy a web application firewall (WAF) with rules to block requests containing suspicious update URLs or patterns targeting the saverestore module.
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated access to /objects/?module=saverestore&mode=auto_update_settings is possible. If it accepts parameters without authentication, the system is vulnerable.Check Version:
Check the MajorDoMo version in the web interface or examine the source code for the patched authentication logic.Verify Fix Applied:
Verify that the saverestore module endpoints now require proper authentication and that auto_update_settings mode validates update URLs properly.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /objects/?module=saverestore with mode=auto_update_settings or mode=force_update from untrusted sources
- Unusual file creation in webroot directories, especially PHP files with suspicious names
Network Indicators:
- Outbound connections from the MajorDoMo server to unfamiliar domains on ports 80/443 following update requests
- HTTP GET requests with suspicious URL parameters in the update field
SIEM Query:
source="web_access.log" AND (uri="/objects/" AND query="module=saverestore") AND (src_ip NOT IN trusted_networks)