module
MajorDoMo Supply Chain RCE via Update Poisoning
| Disclosed | Created |
|---|---|
| Feb 18, 2026 | Mar 2, 2026 |
Disclosed
Feb 18, 2026
Created
Mar 2, 2026
Description
This module exploits an unauthenticated remote code execution vulnerability in
MajorDoMo's saverestore module via supply chain poisoning. The saverestore module's
admin() method is reachable without authentication through the /objects/?module=saverestore
endpoint because usual() calls admin() directly and uses gr() (which reads from $_REQUEST)
instead of $this->mode for mode checks.
Two unauthenticated GET requests chain together for full RCE:
1. auto_update_settings - poisons the MASTER_UPDATE_URL to point to an attacker-controlled server
2. force_update - triggers autoUpdateSystem() which fetches an Atom feed and tarball from the
poisoned URL, extracts the tarball, and copies all files to the webroot via copyTree()
The tarball is downloaded via curl with CURLOPT_SSL_VERIFYPEER set to FALSE and no integrity
check. The attacker serves a fake Atom feed with an entry older than the configured delay
(default 1 day) and a tarball containing a PHP webshell. After deployment, the module
executes the payload through the webshell.
All versions of MajorDoMo up to and including the latest release are affected.
The fix is tracked in PR sergejey/majordomo#1177.
MajorDoMo's saverestore module via supply chain poisoning. The saverestore module's
admin() method is reachable without authentication through the /objects/?module=saverestore
endpoint because usual() calls admin() directly and uses gr() (which reads from $_REQUEST)
instead of $this->mode for mode checks.
Two unauthenticated GET requests chain together for full RCE:
1. auto_update_settings - poisons the MASTER_UPDATE_URL to point to an attacker-controlled server
2. force_update - triggers autoUpdateSystem() which fetches an Atom feed and tarball from the
poisoned URL, extracts the tarball, and copies all files to the webroot via copyTree()
The tarball is downloaded via curl with CURLOPT_SSL_VERIFYPEER set to FALSE and no integrity
check. The attacker serves a fake Atom feed with an entry older than the configured delay
(default 1 day) and a tarball containing a PHP webshell. After deployment, the module
executes the payload through the webshell.
All versions of MajorDoMo up to and including the latest release are affected.
The fix is tracked in PR sergejey/majordomo#1177.
Author
Valentin Lobstein [email protected]
Platform
Linux,PHP,Unix,Windows
Architectures
php, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.