This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: MajorDoMo has an unauthenticated RCE via update poisoning. π **Consequences**: Attackers poison update URLs, trigger forced updates, download malicious tarballs, and execute code on the server.β¦
π‘οΈ **CWE-494**: Download of Code from an Untrusted Source. π **Flaw**: The `saverestore` module exposes `admin()` via `/objects/?module=saverestore` without authentication.β¦
π **Product**: MajorDoMo (Open-source DIY smart home platform). π€ **Vendor**: sergejey. π¦ **Component**: `saverestore` module. β οΈ **Scope**: Any instance running the vulnerable version without the fix from PR #1177.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Remote Code Execution (RCE) as the web server user. πΎ **Data**: Full access to document root, system files, and potentially other smart home devices.β¦
π **Threshold**: VERY LOW. π **Auth**: None required (Unauthenticated). π **Network**: Network-accessible (AV:N). π« **UI**: No user interaction needed (UI:N). β‘ **Complexity**: Low (AC:L).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp**: YES. π **PoC**: Available on GitHub (`mbanyamer/CVE-2026-27180-MajorDoMo-unauthenticated-RCE`). π’ **Advisories**: VulnCheck and Chocapikk have published detailed analysis.β¦
β **Fixed**: YES. π **Patch**: PR #1177 (`sergejey/majordomo#1177`) addresses the issue. π **Action**: Update MajorDoMo to the latest version including this PR.β¦
π« **Workaround**: Block external access to `/objects/` endpoint via WAF/NGINX. π **Restrict**: Disable automatic update features if possible. π **Network**: Isolate the MajorDoMo instance from the internet.β¦