MajorDoMo, also known as Major Domestic Module, suffers from a critical vulnerability (CVE-2026-27180) that enables unauthenticated remote code execution through a supply chain compromise vector involving update URL poisoning. The vulnerability stems from the saverestore module exposing its admin() method via the /objects/?module=saverestore endpoint without any authentication. This method uses gr('mode'), which directly reads from the $_REQUEST superglobal, bypassing the framework's safer $this->mode property. An attacker can exploit this by poisoning the system update URL through the auto_update_settings mode handler. Subsequently, the attacker triggers the force_update handler to initiate the update process. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with minimal validation and downloads a tarball using curl with CURLOPT_SSL_VERIFYPEER disabled, effectively ignoring TLS certificate validation. The tarball is extracted using an exec call to 'tar xzvf', and the extracted files are copied to the document root via copyTree(). This sequence allows an attacker to deploy arbitrary PHP files, including webshells, directly into the webroot. The entire attack requires only two GET requests and no authentication or user interaction, making it trivially exploitable. The vulnerability affects MajorDoMo version 0 (likely indicating early or all versions prior to patching). The CVSS 4.0 vector indicates network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patches or known exploits in the wild have been reported as of the publication date.

The impact of CVE-2026-27180 is severe and far-reaching for organizations using MajorDoMo. Successful exploitation results in full remote code execution on the affected server, allowing attackers to deploy webshells and potentially take complete control over the system. This compromises confidentiality, integrity, and availability of the system and any connected devices or data. Given MajorDoMo's role in home automation, attackers could manipulate connected IoT devices, leading to physical security risks or privacy violations. The lack of authentication and user interaction requirements significantly lowers the barrier to exploitation, increasing the likelihood of attacks. Organizations relying on MajorDoMo for critical automation or monitoring functions face risks of service disruption, data theft, and lateral movement within internal networks. The supply chain nature of the attack also raises concerns about trust in update mechanisms and potential for widespread compromise if attackers distribute malicious updates broadly.

To mitigate this vulnerability, organizations should immediately disable or restrict access to the /objects/?module=saverestore endpoint, especially the admin() method, until a patch is available. Implement strict authentication and authorization checks on all administrative endpoints to prevent unauthenticated access. Validate and sanitize all input parameters rigorously, avoiding direct use of $_REQUEST for critical mode handling. Enforce TLS certificate verification (CURLOPT_SSL_VERIFYPEER set to TRUE) when fetching update resources to prevent man-in-the-middle or supply chain poisoning attacks. Avoid using system calls like exec() for extracting archives; instead, use secure libraries with proper error handling and input validation. Monitor network traffic for unusual outbound requests to unknown update URLs and audit file system changes in the webroot for unauthorized PHP files. If possible, isolate MajorDoMo instances in segmented network zones to limit attacker lateral movement. Stay alert for official patches or advisories from the vendor and apply updates promptly once available. Consider implementing application-layer firewalls or WAF rules to detect and block suspicious requests targeting the vulnerable endpoints.