CVE-2026-27180

CVE-2026-27180 is a critical unauthenticated remote code execution vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation platform. The issue stems from the saverestore module, which exposes its admin() method via the /objects/?module=saverestore endpoint without authentication. This occurs because the module reads the mode parameter directly from $_REQUEST using gr('mode') rather than the framework's $this->mode. Additionally, the auto_update_settings mode handler allows poisoning of the system update URL, enabling supply chain compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-494 (Download of Code Without Integrity Check). It was published on 2026-02-18.

An unauthenticated remote attacker can exploit this vulnerability with just two GET requests. First, the attacker poisons the update URL through the auto_update_settings handler. Second, they trigger the force_update handler, which calls autoUpdateSystem(). This method fetches an Atom feed from the attacker-controlled URL with only trivial validation, downloads a tarball using curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it via exec('tar xzvf ...'), and copies all files to the document root using copyTree(). Successful exploitation allows deployment of arbitrary PHP files, such as webshells, granting full control over the affected MajorDoMo instance.

Advisories and patches for mitigation are detailed in referenced sources, including a GitHub pull request at https://github.com/sergejey/majordomo/pull/1177, a technical analysis at https://chocapikk.com/posts/2026/majordomo-revisited/, and a VulnCheck advisory at https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning. Security practitioners should review these for specific remediation steps, such as patching the saverestore module and securing update mechanisms.