CVE-2026-27180
Received Received - Intake
Unauthenticated Remote Code Execution in MajorDoMo Update Module

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27180
EUVD
EUVD-2026-8370
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mjdm majordomo *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

MajorDoMo (Major Domestic Module) has a critical security flaw that allows unauthenticated remote code execution through a supply chain attack involving update URL poisoning.

The vulnerability arises because the saverestore module exposes its admin() method via the /objects/?module=saverestore endpoint without requiring authentication. This happens because it uses a mode parameter read directly from user input ($_REQUEST) instead of a safer internal framework variable.

An attacker can manipulate the system update URL through the auto_update_settings handler, then trigger the force_update handler to start the update process.

During the update, the system fetches an Atom feed from the attacker-controlled URL with minimal validation, downloads a tarball with TLS verification disabled, extracts it, and copies the files to the web document root.

This process allows the attacker to deploy arbitrary PHP files, including webshells, to the webroot by making just two GET requests.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including complete compromise of the affected system.

  • An attacker can execute arbitrary code remotely without any authentication.
  • The attacker can deploy malicious PHP files such as webshells, enabling persistent access and control.
  • Sensitive data stored or processed by the system could be accessed, modified, or deleted.
  • The system could be used as a launchpad for further attacks within the network.
  • Service availability could be disrupted due to malicious actions or system instability.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart