CVE-2026-27174 is a severe vulnerability affecting MajorDoMo, a home automation platform developed by sergejey. The root cause is an include order bug in the file modules/panel.class.php, where a redirect() call intended to prevent unauthorized access does not terminate execution due to a missing exit statement. This allows unauthenticated HTTP requests to reach the ajax handler in inc_panel_ajax.php. Within this handler, the console feature processes user input from GET parameters (ajax_panel, op, and command) and passes them directly to PHP's eval() function without any authentication or sanitization. The use of register_globals further exacerbates the risk by allowing GET parameters to influence the execution context. Consequently, an attacker can craft a GET request to /admin.php with specific parameters to execute arbitrary PHP code remotely, leading to full system compromise. The vulnerability requires no authentication, no user interaction, and can be exploited over the network, making it highly dangerous. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects its criticality, with high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the straightforward exploitation method and critical severity warrant immediate attention from users of MajorDoMo.

For European organizations, the impact of this vulnerability is significant. MajorDoMo is used in smart home and building automation, often controlling critical infrastructure such as HVAC, lighting, security systems, and other IoT devices. Exploitation could allow attackers to gain full control over these systems, potentially leading to unauthorized surveillance, disruption of building operations, physical safety risks, and data breaches. The unauthenticated nature of the exploit means attackers can compromise systems remotely without prior access, increasing the likelihood of attacks. Organizations relying on MajorDoMo for automation in offices, residential complexes, or industrial environments face risks of operational downtime, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The lack of known exploits currently provides a window for proactive defense, but the critical severity suggests rapid exploitation attempts are likely once public proof-of-concept code emerges.

To mitigate CVE-2026-27174, European organizations should take immediate and specific actions beyond generic advice: 1) Restrict network access to the MajorDoMo admin panel by implementing firewall rules or VPN-only access to prevent unauthorized external connections. 2) Disable or remove the vulnerable PHP console feature if it is not essential for operations, as it is the direct attack vector. 3) Apply code-level patches or workarounds to ensure that redirect() calls in modules/panel.class.php are followed by exit statements to prevent execution flow continuation. 4) If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block requests containing suspicious GET parameters (ajax_panel, op, command) targeting /admin.php. 5) Monitor logs for unusual access patterns or attempts to invoke the console handler. 6) Conduct a thorough audit of all MajorDoMo instances within the organization to identify exposed systems. 7) Engage with the vendor or community to obtain official patches or updates as soon as they become available. 8) Educate IT and security teams about the vulnerability to ensure rapid incident response if exploitation attempts are detected.