MajorDoMo RCE flaw lets attackers run code on exposed smart-home servers

A critical MajorDoMo vulnerability can let unauthenticated attackers run PHP code on exposed servers through the platform’s admin panel. The flaw is tracked as CVE-2026-27174 and affects the MajorDoMo home automation platform, also known as Major Domestic Module.

The issue is serious because attackers do not need valid login credentials. A crafted request to the administrative path can reach an internal console handler that should only be available to trusted administrators.

MajorDoMo is often used to manage smart-home and IoT environments, including cameras, sensors, automation routines, and internal services. A server compromise can therefore move beyond a web application issue and become a broader network security problem.

What CVE-2026-27174 is

CVE-2026-27174 is an unauthenticated remote code execution flaw in MajorDoMo’s admin panel PHP console feature. NVD describes the bug as an include order issue in modules/panel.class.php.

The vulnerable code redirects unauthorized users, but execution continues because the redirect does not stop the script. That allows unauthenticated requests to reach inc_panel_ajax.php, where the console handler processes user-controlled input.

The dangerous part is the use of PHP eval() on attacker-controlled data. If an attacker reaches that console path, they can make the server execute arbitrary PHP code.

At a glance

Detail	Information
CVE	CVE-2026-27174
Product	MajorDoMo, also known as Major Domestic Module
Bug type	Unauthenticated remote code execution
Weakness	CWE-94, improper control of code generation
Severity	Critical
CVSS score	9.3 in VulnCheck’s CVSS v4 scoring and 9.8 in CVSS v3.1 records
Attack access	Network access to a vulnerable admin panel
Authentication needed	No
User interaction needed	No

How the attack path works

The attack chain starts in the admin.php request flow. MajorDoMo tries to send unauthenticated users away from the admin area, but the backend continues processing after the redirect.

That execution path can include the AJAX panel handler. The handler exposes a console operation that reads request parameters and passes input into PHP evaluation logic.

A remote attacker can abuse that flow to execute code in the web application context. From there, the attacker may read configuration files, inspect credentials, modify automation logic, or place a persistent web shell if file permissions allow it.

Why exposed MajorDoMo servers face higher risk

MajorDoMo sits close to physical environments. It can connect automation rules, cameras, lighting, sensors, climate systems, and other smart devices through one self-hosted dashboard.

That makes remote code execution especially dangerous. A compromised MajorDoMo host may give attackers access to private camera feeds, device controls, stored passwords, local scripts, and internal network routes.

Attackers may also use the server as a stepping stone. Once they gain code execution, they can scan internal hosts, steal secrets, or attempt lateral movement into systems that were never meant to face the internet.

Why public detection increases urgency

The vulnerability is already documented in public security databases, and a detection template has appeared in the ProjectDiscovery Nuclei ecosystem. That means defenders can scan for exposure, but attackers can also use public knowledge to find vulnerable systems faster.

VulnCheck also lists CVE-2026-27174 in its known exploited vulnerability intelligence. That does not automatically prove mass exploitation on every exposed server, but it does raise the priority for patching and access control.

Administrators should assume exposed MajorDoMo admin panels will attract scanning. Internet-facing admin panels should not remain reachable from untrusted networks.

Risk areas for administrators

Risk area	Why it matters	Action to take
Exposed admin panel	Attackers can reach the vulnerable request flow from the internet	Restrict access to trusted IPs or VPN users
PHP code execution	eval() can turn request input into server-side code execution	Apply the fixed MajorDoMo code path
Stored credentials	Automation platforms often store device, database, and API secrets	Rotate credentials after suspected exposure
Connected IoT devices	A web compromise can affect cameras, sensors, and automation routines	Review device permissions and network segmentation
Persistence	Attackers may write web shells or modify scripts	Search for unexpected PHP files and scheduled tasks

What administrators should do now

Administrators should update MajorDoMo to a build that includes the February 18, 2026 security fixes from the upstream project. The public GitHub fix merged changes for eight vulnerabilities, including the unauthenticated console eval RCE.

If immediate updating is not possible, the admin interface should be removed from public access at once. Put MajorDoMo behind a VPN, reverse proxy authentication, firewall allowlist, or private network path.

Teams should also review web server logs for unusual requests to admin.php that include AJAX panel, operation, or command-related parameters. These requests from unknown IP addresses should trigger investigation.

Recommended response checklist

• Check whether the MajorDoMo admin panel is reachable from the internet.
• Block public access to admin.php and other administrative routes.
• Update to the latest MajorDoMo code that includes the merged security fix.
• Review logs for suspicious requests to admin.php.
• Look for unexpected PHP files in web-accessible directories.
• Check for suspicious child processes spawned by the web server user.
• Rotate database, device, API, and admin credentials if exposure is suspected.
• Segment IoT devices from business systems and sensitive internal networks.
• Back up clean configurations before restoring or rebuilding affected systems.

Possible signs of compromise

Suspicious network activity may include repeated requests to MajorDoMo’s admin route from unfamiliar IP addresses. Requests containing admin console routing parameters deserve special attention, even when the server appears to return a redirect.

On the host side, administrators should look for web server child processes running unexpected commands. They should also check temporary directories, upload paths, and web-accessible folders for new PHP files.

Unusual outbound connections from the MajorDoMo server may also indicate compromise. A home automation server should not suddenly connect to unknown external hosts, download scripts, or contact suspicious infrastructure.

How to reduce future exposure

MajorDoMo and similar automation platforms should never expose their admin interfaces directly to the internet unless strong access controls sit in front of them. A private dashboard can become a public attack surface when port forwarding or reverse proxies are misconfigured.

Administrators should also separate smart-home devices from laptops, phones, business systems, and storage devices. Network segmentation limits what an attacker can reach after compromising the automation server.

Finally, keep a routine update process for self-hosted platforms. Home automation systems often run quietly for years, but old code, exposed panels, and stored secrets create attractive targets.

FAQ