CVE-2026-27175
published 2026-02-18CVE-2026-27175: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.87%
93.3th percentile
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sergejey | majordomo | <= * | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP requests to rc/index.php containing shell metacharacters (e.g., $, `, ;, |, &) in the 'param' parameter, which indicate command injection attempts. ↗
- →Alert on unauthenticated HTTP requests to cycle_execs.php, especially when preceded within seconds by a request to rc/index.php — this two-step pattern is the race condition exploit sequence. ↗
- →Detect database writes to the safe_execs table containing shell metacharacters, as the injection payload is stored there before execution. ↗
- →Flag the exploit's required use of a valid .bat filename (e.g., shutdown.bat, displayon.bat, displayoff.bat) in the command parameter of rc/index.php requests, as the injection is appended to one of these known filenames. ↗
- →Look for the Metasploit module path 'exploits/multi/http/majordomo_cmd_injection_rce' in IDS/proxy logs as an indicator of automated exploitation. ↗
- ·The race condition exploit requires cycle_execs.php to be started first to purge the queue; if the worker is not running or the queue is not purged, the injection may not execute. Detection logic should account for the ~1 second polling window. ↗
- ·All versions of MajorDoMo up to and including the latest release are affected; no patched version is currently available. The fix is only tracked as a pending PR. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jmf5-x823-23g3: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index
ghsa_unreviewed·2026-02-19
CVE-2026-27175 [CRITICAL] CWE-78 GHSA-jmf5-x823-23g3: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one s
VulnCheck
mjdm majordomo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 9.2
CVE-2026-27175 [CRITICAL] mjdm majordomo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
mjdm majordomo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling.
No detection rules found.
Hackernews
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
blogs_hackernews·2026-04-23
CVE-2026-27175 ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes.
The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work, giving attackers easy access.
AI tools are also part of the problem now. They trust bad input and take real actions, which makes the damage
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2026-02-18
Published
Exploited in the wild