Unauthenticated Remote Code Execution in MajorDoMo by Chocapikk

CVE-2026-27174

What is CVE-2026-27174?

CVE-2026-27174 is a serious security vulnerability found in MajorDoMo, an open-source home automation system developed by Sergejey. This vulnerability allows unauthenticated remote code execution, posing a significant risk to organizations utilizing this platform. The flaw is rooted in a defect within the PHP console feature of the admin panel, specifically an 'include order' bug in the file modules/panel.class.php. This bug causes execution to bypass a redirect call that lacks an exit statement, enabling unauthorized requests to be processed. Consequently, an attacker can exploit this vulnerability by sending a specially crafted GET request to the endpoint /admin.php, supplying parameters such as ajax_panel, op, and command. This allows the execution of arbitrary PHP code without any proper authentication checks, raising severe security concerns for organizations relying on this automation software.

Potential impact of CVE-2026-27174

1. Unauthorized Access and Control: The ability for attackers to execute arbitrary code remotely means they can gain unauthorized access to the system, manipulate data, and control operations, potentially compromising the entire infrastructure of the organization.

2. Data Breaches: Exploiting this vulnerability could lead to significant data breaches, allowing attackers to access sensitive information, which could be used for malicious purposes or sold on the dark web.

3. Malware Deployment: With remote code execution capabilities, attackers can install malicious software or ransomware on vulnerable systems, leading to further system compromise and potential data loss for the organization.

News Articles

The Hacker News

CVE-2026-27175CVE-2026-27174

ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories

ThreatsDay Bulletin: active exploits, supply chain attacks, AI abuse, and stealth data risks observed this week.

1 day ago

References