MajorDoMo contains a critical unauthenticated OS command injection vulnerability (CVE-2026-27175, CVSS 9.8) that is confirmed on the CISA KEV catalog, indicating active exploitation in the wild; an attacker with network access can achieve full host compromise in approximately one second with no credentials required. No confirmed patched release is available as of this report date, making network-level access restriction to cycle_execs.php and rc/index.php the essential immediate control. Any internet-facing MajorDoMo instance should be taken offline or placed behind strict network access controls until a patch is confirmed.