Gamers hacked playing Call of Duty: WWII—PC version temporarily taken offline

On Saturday, the Call of Duty team announced that the PC version of Call of Duty: WWII has been taken offline following “reports of an issue.”

That issue seems to be a serious security problem, after reports surfaced about a remote code execution (RCE) vulnerability in the game.

After Microsoft’s acquisition of Activision in 2023, Activision’s headline title, Call of Duty, has been slowly making its way over to Xbox and PC Game Pass.

But only days after the 2017 Call of Duty: WWII arrived on Microsoft’s subscription service, the concerning reports started coming in. Players were using an RCE exploit to take over other players’ PCs during live multiplayer matches.

RCE is the name for a critical security flaw that allows attackers to run malicious code on a victim’s machine without their consent or physical access. Exploiting an RCE could lead to data breaches, taking control of systems, and installing malware. In this case, it seems as though attackers were using the RCE vulnerability to gain remote access to other players’ computers during games. They reportedly:

• Opened command prompts on victims’ PCs
• Sent mocking messages via Notepad
• Forced remote shutdowns of players’ computers
• Changed desktop wallpapers to display gay porn

Game Pass is a subscription service offered by Microsoft Gaming. Because consoles generally don’t allow this level of code execution, it’s only Windows PC gamers that were affected by this.

The hacking of older titles is an open-air secret among the Call of Duty community, with players often avoiding the games on Steam. The problem likely lies in the fact that the multi-player game relies on peer-to-peer (P2P) networking which means that one player’s machine acts as the match’s server.

There is a lot of speculation about Activision working to update the game’s anti-cheat systems called “Ricochet” as the title is seemingly rampant with abusers. But whether and how this update will fix the RCE vulnerability is a big unknown. We’ll keep you updated.

What gamers should do

This vulnerability is particularly alarming because it not only allows hackers to disrupt gameplay, it has the potential to compromise gamers’ entire PCs remotely.

This story shows how even established titles can put your machine at risk. While it’s unclear if the Steam version is impacted, these are the things to do:

• Avoid playing Call of Duty: WWII on PC, especially the Microsoft Store and Game Pass versions, until Activision releases a patch.
• Always install security updates as soon as you can.
• Use active anti-malware software for protection.
• Monitor official Activision channels for updates on the fix.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.