cbcvebase.
CVE-2026-27175
published 2026-02-18

CVE-2026-27175: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.87%
93.3th percentile
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.

Affected

1 ranges
VendorProductVersion rangeFixed in
sergejeymajordomo<= *

Detection & IOCsextracted from sources · hover to see the quote

urlrc/index.php
urlcycle_execs.php
pathrc/commands/shutdown.bat
pathrc/commands/displayon.bat
pathrc/commands/displayoff.bat
  • Monitor for unauthenticated HTTP requests to rc/index.php containing shell metacharacters (e.g., $, `, ;, |, &) in the 'param' parameter, which indicate command injection attempts.
  • Alert on unauthenticated HTTP requests to cycle_execs.php, especially when preceded within seconds by a request to rc/index.php — this two-step pattern is the race condition exploit sequence.
  • Detect database writes to the safe_execs table containing shell metacharacters, as the injection payload is stored there before execution.
  • Flag the exploit's required use of a valid .bat filename (e.g., shutdown.bat, displayon.bat, displayoff.bat) in the command parameter of rc/index.php requests, as the injection is appended to one of these known filenames.
  • Look for the Metasploit module path 'exploits/multi/http/majordomo_cmd_injection_rce' in IDS/proxy logs as an indicator of automated exploitation.
  • ·The race condition exploit requires cycle_execs.php to be started first to purge the queue; if the worker is not running or the queue is not purged, the injection may not execute. Detection logic should account for the ~1 second polling window.
  • ·All versions of MajorDoMo up to and including the latest release are affected; no patched version is currently available. The fix is only tracked as a pending PR.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.