Full Report
Gamemakers have only said they are investigating an unspecified “issue.” Players are posting videos of their computers being compromised. The post Call of Duty takes PC game offline after multiple reports of RCE attacks on players appeared first on CyberScoop.
Analysis Summary
# Incident Report: Call of Duty: WWII RCE Attacks
## Executive Summary
Multiple reports surfaced regarding an active Remote Code Execution (RCE) vulnerability being exploited against PC players of the game *Call of Duty: World War 2* during live multiplayer matches. This exploitation allowed attackers to take over victim computers. In response, the game maker temporarily took the PC version of the game offline to investigate the issue.
## Incident Details
- Discovery Date: Around July 5, 2025 (when widespread reports prompted action)
- Incident Date: Began around June 30, 2025, coinciding with the game's release on GamePass.
- Affected Organization: Activision/Game Developers (Publisher/Developer)
- Sector: Gaming / Entertainment
- Geography: Global (affects PC players accessing the service)
## Timeline of Events
### Initial Access
- Date/Time: Started around June 30, 2025, triggered by increased player count upon GamePass release.
- Vector: Exploitation of a Remote Code Execution (RCE) vulnerability within the game client, likely leveraged via peer-to-peer (P2P) networking.
- Details: Attackers exploited the network connection established during live matches to inject and execute arbitrary code on victim PCs.
### Lateral Movement
- Details: Not explicitly detailed, but successful RCE implies control over the compromised host machine. Reports indicate command files executing and system interaction (e.g., shutting down PCs, changing desktop backgrounds).
### Data Exfiltration/Impact
- Details: While no specific high-value data exfiltration was confirmed, the impact included: direct control over the victim's operating system, arbitrary command execution (e.g., Windows command files executing), forced system shutdowns, and desktop manipulation (changing background to pornographic images).
### Detection & Response
- Detection: Detection occurred via widespread user reports and shared video evidence on platforms like X (formerly Twitter).
- Response Actions: On July 5, the game update account announced the PC version of *Call of Duty: World War 2* was removed from the Microsoft Store "while we investigate reports of an issue."
## Attack Methodology
- Initial Access: Remote Code Execution (RCE) vulnerability exploited during peer-to-peer networking conditions common in older titles.
- Persistence: Not explicitly determined, but the immediate execution of system commands suggests potential for short-term persistence or execution chains.
- Privilege Escalation: The nature of RCE implies the attacker gained the privileges necessary to run system commands on the host OS.
- Defense Evasion: Exploitation relies on bypassing game client security checks through a flaw in the underlying network or game code handling.
- Credential Access: Not explicitly specified, but achieving RCE often provides a pathway to credential theft tools.
- Discovery: The vulnerability itself appears to have been known or previously existed, though exploited widely post-GamePass release. Previous vulnerability disclosures (CVEs) dating back six years suggest a long-standing issue in older *Call of Duty* titles.
- Lateral Movement: Control established over the victim's local machine.
- Collection: Arbitrary file/command execution observed ("Windows command file executes").
- Exfiltration: Not confirmed as a primary goal, but system takeover capability implies potential for data theft.
- Impact: System takeover, denial of service (shutdowns), and defacement.
## Impact Assessment
- Financial: Not disclosed, but involved costs related to investigating the vulnerability and the operational impact of taking a major title offline.
- Data Breach: Users' local systems were compromised, risking personal data, credentials, and privacy.
- Operational: Temporary discontinuation of the PC version of *Call of Duty: World War 2* via the Microsoft Store.
- Reputational: Negative impact due to widespread exploitation during a popular re-release period.
## Indicators of Compromise
- Network indicators: Specific network artifacts related to the P2P exploitation vector (Defanged names only, as specific IPs/URLs were not provided).
- File indicators: Execution of unidentified "Windows command file."
- Behavioral indicators: Game freezing, followed by background command execution; forced system shutdowns; unauthorized changes to desktop backgrounds.
## Response Actions
- Containment measures: Temporarily removing the PC version of *Call of Duty: World War 2* from the Microsoft Store.
- Eradication steps: Unknown, pending investigation.
- Recovery actions: Unknown, pending remediation and redeployment of the game.
## Lessons Learned
- Key takeaways: Older game titles that switch to peer-to-peer networking models introduce significant security risks by exposing player endpoints directly to each other.
- What could have been done better: Proactive patching or enforcement of server-based hosting for older titles, especially those receiving renewed visibility (e.g., via GamePass), should be a priority. Previous vulnerability reports (dating back six years) suggest a failure to address known RCE vectors in legacy codebases.
## Recommendations
- Prevention measures for similar incidents: Implement mandatory dedicated server infrastructure for multiplayer components, or at minimum, rigorously audit and patch known RCE vulnerabilities in older titles before wider distribution platforms reintroduce them to large user bases. Maintain a dedicated security response channel for addressing longstanding, known vulnerabilities, especially those that have public proof-of-concept exploits.