Php RCE Vulnerability (CVE-2026-27174) [PoC]

Overview

A critical security flaw has been identified in MajorDoMo (Major Domestic Module), a popular smart home automation platform. This vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems remotely, granting them full control over the server.

Vulnerability Details

The flaw exists due to a combination of two issues in the software’s admin panel. First, a logic error allows unauthenticated requests to bypass the normal login requirement. Second, a feature called the PHP console, intended for administrators, does not verify user permissions and directly executes code supplied by an attacker.

Specifically, an attacker can send a specially crafted web request to the /admin.php page. This request tricks the system into processing commands through its administrative backend. The vulnerable code then takes attacker-controlled input from the request and passes it directly to the PHP eval() function, which executes it as code on the server.

Impact

The impact of this vulnerability is severe. An unauthenticated attacker exploiting this flaw can:

• Execute any command or PHP code on the underlying operating system.
• Install malware, create backdoors, or steal sensitive data.
• Compromise the entire server hosting MajorDoMo and potentially attack other devices on the same network.
• Disable or manipulate smart home devices connected to the system, leading to safety, security, or privacy breaches.

Given that MajorDoMo often controls physical devices like cameras, locks, and sensors, this vulnerability poses a direct risk to physical security and personal safety.

Remediation and Mitigation

Immediate action is required to protect affected systems.

Primary Solution: Apply a Patch

• Users should upgrade to a patched version of MajorDoMo as soon as the vendor releases one. Monitor the official MajorDoMo project channels for security updates.

Immediate Mitigation Steps (If a Patch is Not Yet Available):

1. Restrict Access: Use a firewall or web server configuration (e.g., .htaccess for Apache) to block all external internet access to the MajorDoMo admin panel (typically the /admin.php path and the /admin/ directory). Only allow access from trusted, internal IP addresses if remote administration is necessary.
2. Disable the Feature: If possible, disable the PHP console module. This may require manually modifying or removing the relevant files (modules/panel.class.php and inc_panel_ajax.php). Always back up files before modification.
3. Network Segmentation: Isolate the MajorDoMo server on its own dedicated network segment, separate from critical personal devices and main business networks.

General Advice:

• Do not expose smart home administration panels directly to the internet. Always use a secure VPN for remote access.
• Regularly audit your systems for unauthorized changes or new user accounts, as these may indicate a compromise.