CVE-2026-27180 is a critical vulnerability in the MajorDoMo home automation platform maintained by sergejey. The vulnerability stems from the saverestore module exposing its admin() method via the /objects/?module=saverestore endpoint without any authentication. This occurs because the code uses gr('mode'), which reads directly from the global $_REQUEST variable, instead of the framework's safer $this->mode property, allowing attackers to manipulate the mode parameter. An attacker can exploit this by poisoning the system update URL through the auto_update_settings mode handler. Subsequently, the attacker triggers the force_update handler, initiating the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with minimal validation, then downloads a tarball using curl with CURLOPT_SSL_VERIFYPEER set to FALSE, disabling TLS certificate verification. The tarball is extracted using a system call to 'tar xzvf', and the extracted files are copied to the web document root via copyTree(). This process enables an attacker to deploy arbitrary PHP files, including webshells, effectively achieving unauthenticated remote code execution on the server with only two crafted GET requests. The vulnerability has a CVSS 4.0 score of 9.3 (critical), reflecting its network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet, but the ease of exploitation and severity make it a significant threat. No patches are currently linked, so mitigation relies on configuration changes and monitoring until official fixes are released.

For European organizations using MajorDoMo, this vulnerability poses a severe risk of full system compromise. Attackers can remotely execute arbitrary code without authentication, leading to potential data theft, system manipulation, or use of the compromised system as a pivot point for further attacks. Given MajorDoMo's role in home and building automation, attackers could disrupt critical infrastructure controls, impacting physical security, energy management, or safety systems. The ability to deploy webshells allows persistent access and stealthy control. The lack of TLS verification in the update process also exposes organizations to man-in-the-middle attacks, increasing the risk of supply chain compromise. Organizations with internet-facing MajorDoMo instances are particularly vulnerable, and the impact extends to privacy violations and operational disruptions. The critical severity and ease of exploitation necessitate urgent attention to prevent potential widespread abuse in Europe.

1. Immediately restrict access to the /objects/?module=saverestore endpoint using network-level controls such as firewalls or web application firewalls (WAFs) to prevent unauthenticated access. 2. Disable or restrict the auto-update feature until a secure patch is available. 3. Implement strict validation and sanitization of update URLs to prevent poisoning attacks. 4. Ensure TLS certificate verification is enabled during all update downloads by setting CURLOPT_SSL_VERIFYPEER to TRUE in the codebase. 5. Monitor web server logs for suspicious requests targeting the saverestore module or unusual tar extraction commands. 6. Employ application-level authentication and authorization checks on all admin-related endpoints. 7. Conduct integrity checks on update packages and consider using signed updates to prevent tampering. 8. Once available, promptly apply official patches from the vendor addressing this vulnerability. 9. Consider isolating MajorDoMo installations within segmented network zones to limit lateral movement if compromised. 10. Educate system administrators about this vulnerability and encourage proactive threat hunting for indicators of compromise.