MajorDoMo systems are at risk of complete takeover due to a flaw that allows unauthenticated attackers to execute arbitrary PHP code through the administrative console feature.

A logic error in modules/panel.class.php fails to terminate execution after a redirect, allowing unauthenticated requests to reach an AJAX handler. This handler passes user-supplied GET parameters directly to the eval() function, facilitating unauthenticated remote code execution.

With a CVSS score of 9.8, this vulnerability poses a catastrophic risk to the confidentiality, integrity, and availability of the affected system. An attacker can execute arbitrary PHP code, which allows for database manipulation, file system access, and the ability to use the compromised host as a staging point for further internal network attacks.

Immediate Action: Update MajorDoMo to the latest version immediately to resolve the authentication bypass and remove the insecure use of the eval() function.

Proactive Monitoring: Review web server access logs for requests to /admin.php containing ajax_panel, op, and command parameters from unauthorized IP addresses.

Compensating Controls: Restrict access to the /admin.php endpoint using IP whitelisting or a VPN to prevent external exposure of the administrative interface.

Public Exploit Available: No

The presence of an unauthenticated eval() sink is a critical security failure. Administrators should not wait for evidence of exploitation before acting. The primary remediation—applying the vendor patch—must be performed immediately to prevent unauthorized remote command execution.