module
MajorDoMo Remote Command Injection via cycle_execs Race Condition
| Disclosed | Created |
|---|---|
| Feb 18, 2026 | Mar 2, 2026 |
Disclosed
Feb 18, 2026
Created
Mar 2, 2026
Description
This module exploits an unauthenticated command injection vulnerability in MajorDoMo's
remote command handler (rc/index.php). The param parameter is interpolated into double
quotes without escapeshellarg(), and the resulting string is passed to safe_exec() which
inserts it into the safe_execs database table with no sanitization.
The cycle_execs.php worker script is web-accessible without authentication. On startup it
purges the safe_execs queue, then enters an infinite loop polling the table every second
and passing each command to exec(). A race condition is required: the worker must be
started first (which purges existing entries), then the injection is performed while the
worker is polling. The next iteration picks up and executes the attacker's payload.
The command parameter must reference a valid .bat file in rc/commands/. The default
MajorDoMo installation ships with shutdown.bat, displayon.bat, and displayoff.bat.
All versions of MajorDoMo up to and including the latest release are affected.
The fix is tracked in PR sergejey/majordomo#1177.
remote command handler (rc/index.php). The param parameter is interpolated into double
quotes without escapeshellarg(), and the resulting string is passed to safe_exec() which
inserts it into the safe_execs database table with no sanitization.
The cycle_execs.php worker script is web-accessible without authentication. On startup it
purges the safe_execs queue, then enters an infinite loop polling the table every second
and passing each command to exec(). A race condition is required: the worker must be
started first (which purges existing entries), then the injection is performed while the
worker is polling. The next iteration picks up and executes the attacker's payload.
The command parameter must reference a valid .bat file in rc/commands/. The default
MajorDoMo installation ships with shutdown.bat, displayon.bat, and displayoff.bat.
All versions of MajorDoMo up to and including the latest release are affected.
The fix is tracked in PR sergejey/majordomo#1177.
Author
Valentin Lobstein [email protected]
Platform
Linux,Unix,Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.