Activision Confirms Call of Duty: WWII PC Pulled Due to Player Hacks

In a significant development for the online gaming community, Activision has confirmed that it took the Microsoft Store and Game Pass version of the 2017 first-person shooter, Call of Duty: WWII, offline due to hackers exploiting a critical vulnerability. This exploit led to several players having their personal computers compromised, according to sources with knowledge of Activision's response who spoke to TechCrunch.

Last week, Activision had publicly announced the temporary removal of the game from the Microsoft Store and Game Pass PC service, citing only that the company was investigating “reports of an issue.” At the time, the exact nature of the problem remained undisclosed, fueling speculation among players and gaming news outlets.

The confirmation that the takedown was a direct response to player hacks underscores the severity of the issue. Reports had surfaced on social media and gaming forums from players claiming their computers were compromised while playing the game on the affected platform. These reports included instances of unexpected pop-ups, system shutdowns, and even changes to desktop wallpapers, strongly suggesting unauthorized access to their machines.

Understanding the Threat: Remote Code Execution (RCE)

The vulnerability exploited by hackers is described as a remote code execution (RCE) exploit. This type of security flaw is particularly dangerous because it allows an attacker to execute arbitrary code on a victim's computer without needing physical access. In the context of an online game, this means a malicious actor could potentially send specific data packets or commands through the game's network connection that trick the game client into running code supplied by the attacker. This code could be anything from annoying pranks like changing wallpapers to installing malicious software such as infostealers, ransomware, or other forms of malware capable of taking full control of the compromised device.

For players, an RCE vulnerability in a game is one of the most serious threats they can face. Unlike cheating, which primarily affects gameplay fairness, an RCE exploit can directly impact their personal data and system security, extending far beyond the game itself.

Why This Version? An Unpatched Flaw

According to sources familiar with the situation, Activision took down only the Microsoft Store and Game Pass version of Call of Duty: WWII because it was a different build of the game compared to the version available on platforms like Steam. Crucially, this specific version contained an old flaw that had previously been patched in other iterations of the game. This suggests a discrepancy in update cycles or codebases between the different PC releases of the game, leaving the Microsoft Store/Game Pass version vulnerable to an exploit that was already addressed elsewhere.

Maintaining multiple versions of a game across different platforms can be a complex technical challenge. Ensuring that security patches and updates are consistently applied to all builds requires rigorous version control and testing. In this case, it appears a legacy vulnerability persisted in one specific distribution channel, creating a window of opportunity for attackers.

A History of Call of Duty Security Woes

This incident is not an isolated event for Activision and the Call of Duty franchise, which has faced numerous security challenges in recent years. The popularity and competitive nature of the games make them prime targets for hackers, ranging from those developing and selling cheats to those seeking to exploit vulnerabilities for malicious purposes.

• In November 2024, a hacker claimed to have banned thousands of legitimate Call of Duty players by abusing a flaw in the game's anti-cheat system. This incident highlighted how even systems designed to protect players can become vectors for abuse if not properly secured.
• Earlier in 2024, the company investigated a campaign targeting players with infostealer malware, malicious software designed to steal sensitive information like passwords and account credentials.
• In 2023, hackers utilized a self-spreading malware, a type of computer worm, to infect players of Call of Duty: Modern Warfare. This attack was made possible by an unpatched years-old bug in the game, mirroring the situation seen with Call of Duty: WWII.

These repeated incidents underscore a persistent challenge for Activision in securing its vast and popular gaming ecosystem against sophisticated and evolving cyber threats.

The Human Cost: Player Impact and Frustration

For the players affected by the Call of Duty: WWII RCE exploit, the consequences were immediate and alarming. Reports from users on platforms like Reddit and X (formerly Twitter) detailed the unsettling experience of having their computers visibly manipulated while playing the game. One player on Reddit explicitly warned others, stating, “The game is not safe to play on PC right now, there’s an RCE exploit.”

Beyond the fear and inconvenience of a compromised computer, such incidents erode player trust. Gamers expect that playing a title from a major publisher on a reputable platform like Game Pass will be a safe experience. Discovering that a game contains a critical, unpatched vulnerability that can lead to system-level compromise is a serious breach of that implicit trust. The lack of immediate transparency from Activision regarding the nature of the “issue” also contributed to player anxiety and frustration before the confirmation emerged.

The Broader Picture: Game Security Challenges

The Call of Duty: WWII incident highlights broader challenges within the video game industry regarding cybersecurity. As games become more complex, interconnected, and integrated with players' systems, the attack surface for malicious actors grows. Game companies are not only battling in-game cheating but also sophisticated cyberattacks aimed at disrupting services, stealing data, or compromising player machines.

Maintaining the security of live service games, especially those with long lifespans and multiple platform releases, requires continuous effort. This includes:

• **Vulnerability Management:** Regularly scanning code for flaws, responding quickly to reported bugs, and ensuring patches are deployed consistently across all versions and platforms.
• **Anti-Cheat Systems:** While primarily focused on gameplay integrity, robust anti-cheat measures can sometimes help detect or prevent certain types of exploits, though they are not a substitute for fundamental code security.
• **Network Security:** Protecting game servers and the communication channels between players and servers from various forms of attack.
• **Player Education:** Informing players about potential risks and best practices for securing their accounts and systems.

The economic realities of game development and maintenance can sometimes conflict with the demands of comprehensive security. Older titles, like Call of Duty: WWII, may receive less development attention than newer releases, potentially leaving older codebases with lingering vulnerabilities if not actively managed.

Activision's Security Posture Amidst Layoffs

The timing of this security incident also raises questions in the context of recent corporate changes at Activision Blizzard, particularly following its acquisition by Microsoft. The company has undergone several rounds of layoffs over the past couple of years. Reports indicate that these workforce reductions have, in some instances, directly impacted cybersecurity teams within the company.

Security is a labor-intensive field that requires skilled professionals dedicated to monitoring threats, analyzing vulnerabilities, developing patches, and responding to incidents. Reductions in security staffing can potentially strain a company's ability to maintain a strong defense posture, especially when dealing with a large portfolio of games and platforms like Activision's. While the direct link between the layoffs and the specific unpatched flaw in Call of Duty: WWII is not explicitly stated, a reduction in security resources could plausibly affect the thoroughness and speed of vulnerability identification and patching across older or less prioritized game versions.

Other major game companies, such as Riot Games, have publicly discussed their efforts to beef up cybersecurity and anti-cheat teams in response to the growing threat landscape. This contrasts with the reported downsizing of security personnel at Activision, raising concerns about the company's capacity to effectively combat persistent and emerging threats.

Looking Ahead

At the time of publication, the Microsoft Store and Game Pass version of Call of Duty: WWII remains offline, as indicated by Activision's online services status page. The company is presumably working to patch the old flaw and ensure the game is safe before bringing it back online for those platforms.

This incident serves as a stark reminder of the importance of cybersecurity in the gaming world. For players, it highlights the need for vigilance, including keeping their operating systems and security software updated, and being cautious about the games they play and the platforms they use, especially if reports of vulnerabilities surface.

For game developers and publishers, the Call of Duty: WWII RCE exploit underscores the critical necessity of comprehensive security practices that extend to all versions and platforms of their games, regardless of age. It emphasizes the need for consistent patching, robust vulnerability management, and sufficient investment in cybersecurity teams to protect their players and maintain trust in their services. The ongoing battle against hackers in the gaming space requires continuous effort and a proactive approach to security.