Critical Unauthenticated RCE in MajorDoMo Exposes IoT Management Servers
A critical vulnerability in the MajorDoMo home automation platform, tracked as CVE-2026-27174, allows unauthenticated remote code execution on internet-facing servers. The flaw stems from improper authentication handling in /admin.php, where requests continue to be processed after a redirect, combined with unsafe use of PHP eval() on attacker-controlled input in an internal AJAX console/debugging component. Researchers reported that a single crafted HTTP GET request can reach the internal handler and execute arbitrary PHP code without valid credentials.
Successful exploitation can give attackers full server compromise, including the ability to run system commands, read sensitive files, steal credentials, and deploy persistent web shells. Because MajorDoMo is often used to manage cameras, sensors, locks, and other building or home automation systems, a breach can also expose connected IoT environments and support lateral movement into internal networks. Public detection content, including a Nuclei template, is already available, raising the risk of rapid exploitation, and defenders have been urged to apply the vendor patch, restrict admin access to trusted networks, place the interface behind a VPN or authenticated reverse proxy, disable the console feature where possible, audit logs, and rotate secrets.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Broader reporting highlights risk to internet-facing MajorDoMo servers
Subsequent reporting emphasized that CVE-2026-27174 allows a single crafted request to execute arbitrary PHP code on exposed MajorDoMo servers, enabling actions such as command execution, file access, and web shell installation. The coverage also reiterated the risk to connected IoT and building automation environments and urged patching and access restrictions.
Public Nuclei detection template becomes available for CVE-2026-27174
By the time of disclosure, a public ProjectDiscovery Nuclei template existed to detect exposed MajorDoMo instances vulnerable to CVE-2026-27174. Its availability increased the likelihood of rapid identification and potential exploitation of internet-facing servers.
Resecurity discloses MajorDoMo RCE vulnerability CVE-2026-27174
Resecurity published analysis of CVE-2026-27174, a critical unauthenticated remote code execution flaw in the MajorDoMo home automation platform. The issue stems from improper authentication handling in /admin.php combined with unsafe PHP eval() use in an internal console/debugging feature.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026
Multiple Critical Vulnerabilities in IoT/OT Network Devices and Controllers
Several high-severity vulnerabilities were disclosed across IoT/OT infrastructure products, creating pathways to **unauthenticated remote code execution** or full device compromise. **Ruckus vRIoT IoT Controller** was reported to contain two **CVSS 10.0** issues—`CVE-2025-69425` and `CVE-2025-69426`—driven by **hardcoded secrets/credentials** that enable attackers to bypass authentication and obtain **root-level command execution**, including via a service listening on **TCP port 2004**. Separately, Singapore’s **CSA** issued a high-priority alert for **Advantech** software affected by a **CVSS 10.0 SQL injection** (`CVE-2025-52694`) that allows an **unauthenticated remote attacker** to execute arbitrary SQL commands against exposed services, impacting multiple *IoTSuite* and *IoT Edge* components and requiring upgrades (some obtained via vendor support channels).
Mar 21, 2026
Multiple Critical Vulnerabilities in Popular Enterprise Software and Devices
Several critical vulnerabilities have been disclosed in widely used enterprise products, each posing significant security risks. A flaw in ASUSTOR devices (CVE-2025-13051) allows local attackers to escalate privileges to SYSTEM via DLL hijacking, potentially granting full control over affected systems. Separately, Apache Causeway is impacted by a remote code execution vulnerability (CVE-2025-64408) that enables authenticated attackers to execute arbitrary code through Java deserialization, threatening the integrity of applications built on this framework. Additionally, the D-Link DIR-878 router, now at end-of-life, contains three unpatched remote code execution flaws that allow unauthenticated attackers to run commands remotely, leaving users exposed with no forthcoming security updates. Apache Tomcat is also affected by a critical path traversal vulnerability (CVE-2025-55752), which can be exploited under certain rewrite configurations to access sensitive directories, especially when HTTP PUT is enabled. Organizations using these products should urgently assess their exposure and apply mitigations or seek alternatives where patches are unavailable.
Mar 21, 2026