cbcvebase.
CVE-2026-27180
published 2026-02-18

CVE-2026-27180: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.09%
61.1th percentile
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.

Affected

1 ranges
VendorProductVersion rangeFixed in
sergejeymajordomo<= *

Detection & IOCsextracted from sources · hover to see the quote

url/objects/?module=saverestore
commandexec('tar xzvf ...')
path/objects/?module=saverestore
  • Alert on unauthenticated GET requests to /objects/?module=saverestore with mode=auto_update_settings, which is used to poison the MASTER_UPDATE_URL to an attacker-controlled server.
  • Alert on unauthenticated GET requests to /objects/?module=saverestore with mode=force_update, which triggers the malicious update chain download and extraction.
  • Detect outbound curl requests from the MajorDoMo web process with TLS peer verification disabled (CURLOPT_SSL_VERIFYPEER=FALSE) to unexpected external hosts, which indicates the poisoned update URL is being fetched.
  • Monitor for execution of 'tar xzvf' commands spawned by the web server process (e.g., apache2, nginx, php-fpm), which indicates tarball extraction as part of the supply chain attack.
  • Monitor for new PHP files written to the MajorDoMo document root by the web server process following a force_update request, which may indicate webshell deployment via copyTree().
  • The exploit uses a fake Atom feed with an entry timestamp older than the configured update delay (default 1 day) to bypass the age check in autoUpdateSystem(). Inspect outbound HTTP responses serving Atom feeds to the MajorDoMo host for anomalous/backdated timestamps.
  • The root cause is that the saverestore module uses gr('mode') (reading directly from $_REQUEST) instead of $this->mode, bypassing framework authentication. Look for this pattern in code audits or WAF rules targeting the 'mode' parameter on the saverestore endpoint.
  • ·All versions of MajorDoMo up to and including the latest release are affected; no patched release exists yet — the fix is only tracked as a pending pull request.
  • ·The vulnerability is exploitable with only two unauthenticated GET requests, meaning no session, credentials, or prior access is required, lowering the bar for mass exploitation.
  • ·The tarball fetched from the attacker-controlled URL has no integrity check and TLS verification is disabled, meaning any network-adjacent attacker (MitM) can also inject a malicious tarball without needing to poison the update URL.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.