CVE-2026-27175 is a critical OS command injection vulnerability in MajorDoMo, an open-source home automation platform developed by sergejey. The vulnerability exists in the rc/index.php endpoint, where the $param user input is directly interpolated into a shell command string enclosed in double quotes without proper sanitization using escapeshellarg(). This unsanitized input is then inserted into a database queue by the safe_exec() function, which itself does not perform any sanitization. The cycle_execs.php script, which is accessible via the web without authentication, retrieves commands from this queue and executes them directly using PHP's exec() function. The vulnerability is exacerbated by a race condition: an attacker first triggers cycle_execs.php to purge the command queue and enter a polling loop, then injects a malicious command via the rc endpoint while the worker is polling. Because shell metacharacters expand inside the double quotes, the injected commands execute remotely within approximately one second. This flaw allows unauthenticated remote attackers to execute arbitrary OS commands on the server hosting MajorDoMo, potentially leading to full system compromise. The vulnerability affects all versions of MajorDoMo (version 0 indicated), and no authentication or user interaction is required to exploit it. The CVSS 4.0 score of 9.2 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation and lack of required privileges. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a critical threat that demands immediate attention from users of MajorDoMo.

The impact of CVE-2026-27175 is severe for organizations using MajorDoMo as it allows unauthenticated remote attackers to execute arbitrary OS commands on the affected system. This can lead to complete system compromise, including unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, lateral movement within networks, and disruption of home automation services. The vulnerability compromises confidentiality, integrity, and availability simultaneously. Given that MajorDoMo is often deployed in home and small business automation environments, attackers could manipulate physical devices, causing safety risks or operational disruptions. The unauthenticated nature and rapid exploitation window (within one second) increase the likelihood of automated attacks and worm-like propagation. Organizations relying on MajorDoMo for critical automation should consider this a high-risk vulnerability that could lead to significant operational and reputational damage if exploited.

To mitigate CVE-2026-27175, organizations should immediately update MajorDoMo to a patched version once available from the vendor. In the absence of an official patch, users should implement the following specific mitigations: 1) Restrict web access to cycle_execs.php and rc/index.php endpoints using network-level controls such as firewalls or web application firewalls (WAFs) to allow only trusted IP addresses. 2) Disable or remove the cycle_execs.php script if not essential for operation. 3) Implement input validation and sanitization on the $param variable to ensure shell metacharacters are properly escaped or disallowed. 4) Employ application-layer sandboxing or containerization to limit the impact of potential command execution. 5) Monitor logs for unusual command queue activity or unexpected execution patterns. 6) Use intrusion detection systems (IDS) to detect exploitation attempts targeting these endpoints. 7) Enforce the principle of least privilege on the server process running MajorDoMo to minimize damage from a successful exploit. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable components and exploitation method described.