MajorDoMo, an open-source home automation platform developed by sergejey, suffers from a critical OS command injection vulnerability identified as CVE-2026-27175. The vulnerability exists in the rc/index.php endpoint, where the $param variable derived from user input is interpolated directly into a shell command string enclosed in double quotes without proper sanitization such as escapeshellarg(). This command string is then inserted into a database queue via the safe_exec() function, which itself does not perform any sanitization. The cycle_execs.php script, accessible via the web without authentication, retrieves commands from this queue and executes them using PHP's exec() function. A race condition can be exploited by an attacker who first triggers cycle_execs.php, which purges the queue and enters a polling loop, and then injects a malicious command through the rc endpoint while the worker is polling. Because shell metacharacters expand inside the double quotes, the attacker can execute arbitrary OS commands remotely within approximately one second. This vulnerability does not require authentication or user interaction, making it highly exploitable. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability poses a severe risk to any deployment of MajorDoMo, especially in environments controlling critical smart home or building functions.

For European organizations, the impact of this vulnerability is significant due to the potential for complete system compromise without authentication. Attackers could execute arbitrary commands on affected MajorDoMo servers, leading to unauthorized access, data theft, manipulation of home or building automation controls, and potential disruption of critical services such as heating, lighting, or security systems. This could result in privacy violations, physical safety risks, and operational downtime. The vulnerability's ease of exploitation and rapid execution window increase the likelihood of automated attacks or targeted intrusions. Organizations relying on MajorDoMo for smart building management or residential automation in Europe face risks of espionage, sabotage, or ransomware deployment. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent future attacks.

To mitigate CVE-2026-27175, organizations should immediately restrict access to the cycle_execs.php and rc/index.php endpoints, ideally limiting them to trusted internal networks or VPNs. Implement web application firewalls (WAFs) with rules to detect and block suspicious shell metacharacters or injection patterns targeting these endpoints. Developers or administrators should patch the MajorDoMo installation by applying input sanitization using escapeshellarg() or equivalent functions to properly escape all user-supplied parameters before command execution. If patches are unavailable, consider disabling or isolating the cycle_execs.php script to prevent command execution from the queue. Regularly audit and monitor logs for unusual command execution or queue manipulation attempts. Employ network segmentation to isolate smart home automation systems from critical enterprise infrastructure. Finally, maintain up-to-date backups and incident response plans tailored to potential remote code execution scenarios.