An unauthenticated remote attacker can execute arbitrary OS commands on MajorDoMo systems by exploiting a race condition in the command queuing mechanism, leading to full system compromise.

This vulnerability involves unauthenticated OS command injection where user input is interpolated into shell commands without sanitization. By exploiting a race condition between the web-accessible rc endpoint and the cycle_execs.php polling loop, an attacker can inject shell metacharacters that are executed with the permissions of the web server.

The impact of this vulnerability is critical, as reflected in its CVSS score of 9.8. Successful exploitation grants the attacker full remote code execution (RCE) without requiring any credentials. This can lead to the complete takeover of the host system, lateral movement within the network, and the deployment of ransomware or data exfiltration tools.

Immediate Action: Apply the latest security patches provided by the MajorDoMo project immediately or disable web access to the rc/ directory and cycle_execs.php.

Proactive Monitoring: Inspect system logs for unusual shell command executions or suspicious activity originating from the web server user.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block shell metacharacters (e.g., semicolons, backticks, pipes) in HTTP GET and POST requests.

Public Exploit Available: No

This vulnerability represents a "worst-case" scenario for networked software: unauthenticated RCE. IT administrators must treat this as a top priority and apply updates immediately. Given the complexity of the race condition, manual sanitization is not recommended; a full vendor-supplied patch is the only reliable solution.