MajorDoMo is a smart home and building automation platform; a successful exploit gives an attacker complete control of the host system running it, which may also control physical devices, sensors, or internal network segments. Because no login credentials are required, any attacker who can reach the web interface over the internet or internal network can take over the system without prior access. Organizations using MajorDoMo in facility management, residential, or IoT environments face risks of operational disruption, unauthorized physical access control, and potential pivot into broader internal networks.
You Are Affected If
You run MajorDoMo (Major Domestic Module) in any version in a production or operational environment
The MajorDoMo web interface (rc/index.php or cycle_execs.php) is accessible from the internet or from untrusted network segments without authentication controls at the network layer
You have not applied a vendor-confirmed patch for CVE-2026-27175 or implemented compensating controls blocking unauthenticated access to rc/index.php and cycle_execs.php
The MajorDoMo host is on a network segment shared with or routable to sensitive internal systems, increasing lateral movement risk if the host is compromised
Board Talking Points
A publicly confirmed, actively exploited vulnerability in MajorDoMo smart home software allows any attacker on the network to take full control of the system without a password — CISA has flagged this as a known exploited vulnerability requiring immediate action.
IT and security teams should isolate or shut down any internet-facing MajorDoMo instances immediately and apply the vendor patch as soon as it is confirmed available, with a target remediation window of 24-48 hours given active exploitation.
Organizations that do not act risk full system compromise of affected hosts, potential disruption of any physical or operational systems the platform controls, and lateral movement into broader internal networks.
