CVE-2026-27180: Download of Code Without Integrity Check in sergejey MajorDoMo
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
AI Analysis
Technical Summary
MajorDoMo (version 0) suffers from a critical vulnerability (CVE-2026-27180) that allows unauthenticated remote code execution. The saverestore module exposes its admin() method at /objects/?module=saverestore without authentication due to improper use of gr('mode') reading directly from $_REQUEST. An attacker can poison the system update URL via the auto_update_settings handler and then trigger the force_update handler to start the update process. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS peer verification disabled, extracts it using a system tar command, and copies all extracted files to the web document root. This chain enables an attacker to deploy arbitrary PHP files, including webshells, with just two GET requests.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely on the affected MajorDoMo system by deploying malicious PHP files to the webroot. This can lead to full system compromise, data theft, service disruption, or further network pivoting. The vulnerability has a CVSS 4.0 score of 9.3 (critical), reflecting its high impact and ease of exploitation without any privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /objects/?module=saverestore endpoint and disable or restrict the auto-update functionality to prevent exploitation. Monitor for unusual update URL configurations and network activity related to update processes. Avoid exposing the vulnerable module to untrusted networks.
CVE-2026-27180: Download of Code Without Integrity Check in sergejey MajorDoMo
Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
CVSS v4.0
Score 9.3critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MajorDoMo (version 0) suffers from a critical vulnerability (CVE-2026-27180) that allows unauthenticated remote code execution. The saverestore module exposes its admin() method at /objects/?module=saverestore without authentication due to improper use of gr('mode') reading directly from $_REQUEST. An attacker can poison the system update URL via the auto_update_settings handler and then trigger the force_update handler to start the update process. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS peer verification disabled, extracts it using a system tar command, and copies all extracted files to the web document root. This chain enables an attacker to deploy arbitrary PHP files, including webshells, with just two GET requests.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely on the affected MajorDoMo system by deploying malicious PHP files to the webroot. This can lead to full system compromise, data theft, service disruption, or further network pivoting. The vulnerability has a CVSS 4.0 score of 9.3 (critical), reflecting its high impact and ease of exploitation without any privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /objects/?module=saverestore endpoint and disable or restrict the auto-update functionality to prevent exploitation. Monitor for unusual update URL configurations and network activity related to update processes. Avoid exposing the vulnerable module to untrusted networks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-18T15:22:30.053Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69962e786aea4a407ae92208
Added to database: 02/18/2026, 21:26:16 UTC
Last enriched: 06/24/2026, 15:07:35 UTC
Last updated: 07/10/2026, 07:47:28 UTC
Views: 261
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.