Call of Duty Exploit – RCE Vulnerability Allows Gamers to Hack Each Other’s PCs

Activision has taken the PC version of Call of Duty: WWII offline following reports of a critical security vulnerability that enables players to remotely access and control other gamers’ computers during multiplayer matches.

The issue emerged just days after the 2017 title became available on Microsoft’s Game Pass subscription service, highlighting serious cybersecurity concerns in the online gaming industry.

Remote Code Execution Vulnerability Explained

The security flaw is classified as a Remote Code Execution (RCE) vulnerability, one of the most severe types of cybersecurity threats.

RCE allows attackers to run malicious code on a victim’s machine without requiring physical access or user consent.

In the context of Call of Duty: WWII, malicious players have exploited this vulnerability to gain unauthorized control over other players’ Windows PCs during live multiplayer sessions.

The attacks have taken various forms, ranging from disruptive pranks to potentially more serious security breaches.

Affected players reported that attackers were able to open command prompts on their computers, display mocking messages through Notepad, force remote shutdowns, and even change desktop wallpapers to inappropriate content.

These actions demonstrate the extensive level of system access that the vulnerability provides to attackers.

The root cause of this security issue likely stems from the game’s reliance on peer-to-peer (P2P) networking architecture.

In P2P multiplayer games, one player’s machine acts as the server for the match, establishing direct connections between the computers of the other players.

This architecture can create security vulnerabilities if not correctly implemented with adequate protections.

Community Response and Ongoing Concerns

The Call of Duty community has long been aware of security issues affecting older titles in the franchise, with many players actively avoiding these games on platforms like Steam due to known vulnerabilities.

The recent incident has intensified these concerns, particularly as it affects the Game Pass version that Microsoft promoted as part of its expansion of its subscription service.

Console players remain unaffected by this particular vulnerability, as gaming consoles typically operate with more restrictive security models that prevent the level of code execution possible on Windows PCs.

This limitation has a specific impact on PC gamers. While Activision is reportedly working on updates to their “Ricochet” anti-cheat system, the timeline and effectiveness of these measures against the RCE vulnerability remain unclear.

Security experts recommend that PC players avoid Call of Duty: WWII entirely until an official patch is released, maintain updated anti-malware software, and monitor official Activision channels for security updates.

The incident serves as a stark reminder of the cybersecurity risks inherent in online gaming, particularly for older titles that may not have been designed with modern security standards in mind.