A newly disclosed flaw exposes internet-facing MajorDoMo servers to unauthenticated remote code execution via a broken authentication flow and unsafe dynamic PHP evaluation.
The vulnerability (CVE-2026-27174) stems from the /admin.php request flow, where improper handling of unauthorized access allows execution to continue even after a redirect, effectively bypassing access controls.
That continued execution exposes an internal AJAX console handler that passes attacker-controlled input directly into PHP’s eval() function, turning a single crafted HTTP request into full server-side code execution on exposed MajorDoMo instances.
Because MajorDoMo often manages cameras, sensors, automation routines, and other internal IoT services, successful exploitation can quickly escalate from web compromise to wider smart-environment and network exposure.
Exploitation Mechanics and Attack Chain
Exploiting this architectural oversight requires only a single, specially crafted HTTP GET request directed at the exposed administrative interface.
Full Attack Chain(source : resecurity )
Threat actors can trigger the vulnerability by passing specific routing variables, namely selecting the internal console operation and supplying their malicious payload through the command parameter.
Even though the server returns a redirect response to the client, the backend interpreter continues to process the injected payload and executes arbitrary PHP instructions.
This grants attackers unrestricted access to the application environment, allowing them to run system-level commands, read sensitive configuration files, and establish persistent backdoor access by writing web shells to the underlying file system.
Attacker finds exposed MajorDoMo instance(source : resecurity )
As reported by Resecurity, the vulnerability is already covered by a publicly available detection template in the ProjectDiscovery Nuclei repository, signaling a heightened risk of rapid exploitation against exposed smart-home systems.
Because MajorDoMo frequently serves as the central orchestration engine for IoT devices, cameras, and private automation networks, the impact of this remote code execution flaw extends far beyond the immediate web application.
Security researchers warn that a compromised host can be weaponized as a strategic foothold, enabling threat actors to intercept surveillance feeds, extract stored network credentials, and pivot laterally into deeper, better-protected segments of the internal network.
Proof of Concept (source : resecurity )
To mitigate this severe threat, administrators must urgently restrict administrative panel access to trusted internal IP addresses and deploy the platform behind a secure virtual private network or an advanced reverse proxy authentication gateway.
Organizations should proactively audit their system logs for unexpected console operations and apply the latest vendor patches to eliminate unsafe dynamic code-execution pathways permanently.
Indicators of Compromise (IoCs)
TypeIndicator DetailsNetworkHTTP GET requests to /admin.php with parameters like ajax_panel, op, and command from external or untrusted IPs.NetworkUnusual outbound connections from the server hosting MajorDoMo, potentially indicating C2 or data exfiltration.HostSuspicious child processes spawned by the web server (e.g., www-data, apache), suggesting remote command execution.HostUnexpected PHP files, web shells, or backdoors in web-accessible or temporary directories, indicating compromise.
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution Attacks appeared first on Cyber Security News.
