Full Report
Gamemakers have only said they are investigating an unspecified “issue.” Players are posting videos of their computers being compromised. The post Call of Duty takes PC game offline after multiple reports of RCE attacks on players appeared first on CyberScoop.
Analysis Summary
# Incident Report: Call of Duty: WWII RCE Attack
## Executive Summary
The PC version of the game *Call of Duty: World War 2* was taken offline following widespread reports of active Remote Code Execution (RCE) attacks targeting players during live multiplayer matches. The vulnerability, likely stemming from the game's shift to peer-to-peer networking for an older title, allowed attackers to compromise victim computers, leading to session hijacking, system shutdowns, and malicious file execution. Game developers temporarily removed the title from the Microsoft Store to investigate and mitigate the issue.
## Incident Details
- Discovery Date: Shortly before or on July 5, 2025 (when the game was pulled offline following widespread reports).
- Incident Date: Reports began surfacing as early as June 30, 2025 (CoD: WWII released on GamePass).
- Affected Organization: Game developer/publisher of Call of Duty (Activision is implied).
- Sector: Gaming/Entertainment Technology.
- Geography: Global (affecting PC players).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing, amplified around July 5, 2025.
- Vector: Exploitation via peer-to-peer networking connections in *Call of Duty: World War 2* on PC.
- Details: As older games retire dedicated servers, they switch to P2P networking, allowing opponents in a match to potentially connect directly to a player's machine, exposing a vulnerability.
### Lateral Movement
- Not explicitly detailed, but the RCE allowed attackers to execute Windows command files directly on the victim's system.
### Data Exfiltration/Impact
- Impact: Attackers gained control over victim PCs, leading to session takeover, system shutdowns, and the modification of desktop backgrounds (e.g., changing them to pornographic images). One reported case involved the attacker instructing the victim to contact a specific entertainment law firm.
### Detection & Response
- Detection: Public discovery through widespread reports and video evidence posted by affected players on social media (X.com).
- Response actions taken: The game developers announced on July 5 that the PC version of *Call of Duty: World War 2* was removed from the Microsoft Store "while we investigate reports of an issue."
## Attack Methodology
- Initial Access: Remote Code Execution (RCE) exploitation during P2P multiplayer sessions.
- Persistence: Not explicitly detailed, though system shutdowns suggest immediate impact rather than long-term persistence.
- Privilege Escalation: The vulnerability granted code execution rights, which often implies sufficient privileges to cause significant system changes.
- Defense Evasion: Exploitation relies on a fundamental flaw in the networking model, suggesting existing security measures were insufficient against this specific exploit.
- Credential Access: Not explicitly mentioned, though RCE can facilitate credential theft.
- Discovery: The vulnerability likely existed within the game's code, potentially leveraged by actors familiar with known issues in older *Call of Duty* titles.
- Lateral Movement: Confined to the compromised local machine (though possible network activity may have occurred).
- Collection: Unspecified, beyond the observed system takeover commands.
- Exfiltration: No large-scale data exfiltration confirmed, but local data/system control was achieved.
- Impact: System compromise, remote control, and disruption of service.
## Impact Assessment
- Financial: Not quantified, but included costs related to investigating the issue and the temporary removal of the game from sale/service.
- Data Breach: Unknown specific data compromised, but sensitive local data on affected user PCs was at risk due to RCE.
- Operational: Significant operational disruption, forcing the temporary offline status of the PC version of the game.
- Reputational: Negative impact tarnishing the reputation of the game series, already known historically for cheating issues.
## Indicators of Compromise
- Network indicators: Related to exploit traffic during P2P connections (specific IPs/domains not provided in the summary).
- File indicators: Execution of malicious Windows command files observed on victim systems.
- Behavioral indicators: Game freezing immediately preceding system command execution; unexpected system shutdowns; desktop wallpaper modification.
## Response Actions
- Containment measures: Immediately removing the affected PC version of the game from the Microsoft Store.
- Eradication steps: Investigation into the RCE vulnerability.
- Recovery actions: Awaiting developer resolution before restoring the game service.
## Lessons Learned
- Key takeaways: Older titles utilizing peer-to-peer networking present significant inherent security risks when dedicated server infrastructure is decommissioned. Known vulnerabilities in legacy software continue to be exploited years later (historical CVEs were flagged six years prior).
- What could have been done better: Proactive vulnerability remediation for aging titles, especially concerning network architecture changes that expose client machines to direct peer interaction.
## Recommendations
- Implement rigorous security audits for legacy PC titles before transitioning network architecture (e.g., shifting from dedicated to P2P).
- Regularly patch or retire titles known to have unpatched, high-severity vulnerabilities like RCEs, even if they are older releases.
- Advise players of known security risks associated with older P2P-enabled multiplayer games.