CVE-2026-27180: MajorDoMo RCE via Update URL Poisoning

CVE-2026-27180 Overview

CVE-2026-27180 is a critical remote code execution vulnerability affecting MajorDoMo (Major Domestic Module), a popular home automation platform. The vulnerability allows unauthenticated attackers to achieve remote code execution through a supply chain compromise attack by poisoning the system's update URL mechanism.

The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication. This occurs because the module uses gr('mode') which reads directly from $_REQUEST instead of the framework's $this->mode property. An attacker can exploit this by first poisoning the system update URL via the auto_update_settings mode handler, then triggering the force_update handler to initiate a malicious update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with minimal validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This chain allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with just two GET requests.

Critical Impact

Unauthenticated attackers can achieve complete server compromise by deploying arbitrary PHP code, including webshells, through update URL poisoning requiring only two GET requests.

Affected Products

• MajorDoMo (Major Domestic Module) - all versions prior to the security fix

Discovery Timeline

• 2026-02-18 - CVE CVE-2026-27180 published to NVD
• 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2026-27180

Vulnerability Analysis

This vulnerability represents a severe supply chain compromise vector that chains multiple security weaknesses into a devastating attack path. The root issue stems from improper access control on the saverestore module's administrative functionality.

The attack exploits an authentication bypass caused by the module directly reading user input via gr('mode') from PHP's $_REQUEST superglobal rather than using the framework's authenticated $this->mode property. This architectural flaw exposes privileged administrative functions to unauthenticated users.

Once access is gained, the attacker leverages unsafe update mechanisms. The system's auto-update feature exhibits multiple security failures: it accepts arbitrary URLs for update feeds, performs inadequate validation on feed content, explicitly disables TLS certificate verification when downloading update packages, and executes shell commands with unsanitized input during the extraction process.

The vulnerability is classified under CWE-494: Download of Code Without Integrity Check, which accurately captures the core security failure of accepting and executing code from untrusted sources without proper verification.

Root Cause

The vulnerability's root cause is twofold. First, the saverestore module bypasses the framework's access control mechanism by using gr('mode') to read request parameters directly, exposing administrative endpoints to unauthenticated users. Second, the update subsystem lacks fundamental security controls: no TLS certificate verification (CURLOPT_SSL_VERIFYPEER is explicitly set to FALSE), no code signing or integrity verification for downloaded packages, and direct shell execution of archive extraction commands. The combination of these issues creates a trivially exploitable attack chain.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker executes the attack in two phases:

Phase 1 - Update URL Poisoning: The attacker sends a GET request to /objects/?module=saverestore with parameters to invoke the auto_update_settings mode handler, setting the update URL to an attacker-controlled server hosting a malicious Atom feed.

Phase 2 - Triggering Malicious Update: A second GET request triggers the force_update handler, which causes the system to:

1. Fetch the Atom feed from the poisoned URL
2. Download the malicious tarball without TLS verification
3. Extract the archive using exec('tar xzvf ...')
4. Copy all extracted files to the web document root via copyTree()

The attacker's malicious archive contains PHP webshells or backdoors that, once copied to the webroot, provide persistent remote access to the compromised system. For detailed technical analysis and proof-of-concept information, see the Chocapikk Blog Post and the VulnCheck Advisory.

Detection Methods for CVE-2026-27180

Indicators of Compromise

• Unexpected HTTP requests to /objects/?module=saverestore with auto_update_settings or force_update mode parameters from external IP addresses
• Modified update configuration settings pointing to non-official domains or IP addresses
• New or unexpected PHP files appearing in the web document root directory
• Outbound connections to unknown external servers during update processes
• Presence of webshells or suspicious PHP files with generic names in the webroot

Detection Strategies

• Monitor web server access logs for requests containing module=saverestore combined with suspicious mode parameters like auto_update_settings or force_update
• Implement file integrity monitoring (FIM) on the MajorDoMo webroot directory to detect unauthorized file additions or modifications
• Configure network monitoring to alert on outbound connections to unknown hosts during update cycles
• Review system configuration for unauthorized changes to update URL settings

Monitoring Recommendations

• Deploy web application firewalls (WAF) with rules to block unauthenticated access to the saverestore module endpoints
• Enable verbose logging for all administrative module access attempts in MajorDoMo
• Implement egress filtering to restrict outbound connections to known legitimate update servers
• Set up real-time alerts for file creation events in the web document root directory

How to Mitigate CVE-2026-27180

Immediate Actions Required

• Apply the security patch from the GitHub Pull Request #1177 immediately
• Review and verify the current update URL configuration is set to the official MajorDoMo server
• Audit the webroot directory for any unauthorized PHP files or webshells
• Restrict network access to the MajorDoMo administrative interface to trusted IP addresses only
• Consider temporarily disabling the auto-update functionality until the patch is applied

Patch Information

A security fix is available via GitHub Pull Request #1177. Users should update to the latest version of MajorDoMo that includes this fix. The patch addresses the authentication bypass in the saverestore module and implements proper access controls for administrative functions. For additional technical details, review the VulnCheck Advisory.

Workarounds

• Implement network-level access controls to restrict access to /objects/?module=saverestore to authenticated administrative networks only
• Configure a web application firewall to block requests containing module=saverestore from untrusted sources
• Disable the auto-update feature entirely by removing or restricting access to update-related configuration endpoints
• Place MajorDoMo behind a reverse proxy with authentication requirements for all administrative endpoints

# Example: Nginx configuration to restrict saverestore module access
location /objects/ {
    # Block unauthenticated access to saverestore module
    if ($args ~* "module=saverestore") {
        return 403;
    }
    # Or restrict to trusted IP addresses
    # allow 192.168.1.0/24;
    # deny all;
}