MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module
Description
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module
Remediation
Apply vendor patches immediately. Review database access controls and enable query logging.
---METADATA---
VENDOR: MajorDoMo
PRODUCT: Major Domestic Module (MajorDoMo)
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
MajorDoMo is vulnerable to unauthenticated remote code execution via a race condition and unsanitized user input in the rc/index.php and cycle_execs.php components.
Executive Summary:
An unauthenticated remote attacker can execute arbitrary OS commands on MajorDoMo systems by exploiting a race condition in the command queuing mechanism, leading to full system compromise.
Vulnerability Details
CVE-ID: CVE-2026-27175
Affected Software: MajorDoMo Major Domestic Module
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability involves unauthenticated OS command injection where user input is interpolated into shell commands without sanitization. By exploiting a race condition between the web-accessible
rcendpoint and thecycle_execs.phppolling loop, an attacker can inject shell metacharacters that are executed with the permissions of the web server.Business Impact
The impact of this vulnerability is critical, as reflected in its CVSS score of 9.8. Successful exploitation grants the attacker full remote code execution (RCE) without requiring any credentials. This can lead to the complete takeover of the host system, lateral movement within the network, and the deployment of ransomware or data exfiltration tools.
Remediation Plan
Immediate Action: Apply the latest security patches provided by the MajorDoMo project immediately or disable web access to the
rc/directory andcycle_execs.php.Proactive Monitoring: Inspect system logs for unusual shell command executions or suspicious activity originating from the web server user.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block shell metacharacters (e.g., semicolons, backticks, pipes) in HTTP GET and POST requests.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 18, 2026, there is no public information indicating active exploitation of this vulnerability. However, because the exploit requires no authentication and targets a common home automation platform, the risk of rapid exploit development is extremely high.
Analyst Recommendation
This vulnerability represents a "worst-case" scenario for networked software: unauthenticated RCE. IT administrators must treat this as a top priority and apply updates immediately. Given the complexity of the race condition, manual sanitization is not recommended; a full vendor-supplied patch is the only reliable solution.