Bandai Namco has disabled the Dark Souls role-playing game’s online PvP feature, bringing its servers down to investigate claims of a severe security vulnerability that might affect players. As per community reports on Reddit, it is a remote code execution (RCE) flaw that might allow attackers to take control of the system, giving them access to sensitive data, allowing them to install malware, or allowing them to use resources for bitcoin mining.
“It is now possible for Dark Souls 3 invaders to run code on your PC without permission. AKA RCE, Remote Code Execution. This same hack is possible in Elden Ring,” a user posted on Reddit.
The same reports also claim that the vulnerability is widely distributed and might be used against Bandai Namco’s next game Elden Ring. The issue was made public on Saturday after a Discord post clarified that the game developer had received specifics about the RCE vulnerability in a responsible disclosure report directly from the individual who identified it. Bandai Namco has disregarded the report, but the reporter chose to expose the problem on main streams to increase awareness and emphasize its importance.
Indeed, at least one Twitch feed demonstrating the attack, albeit inadvertently, ended in a crash after the execution of Microsoft PowerShell and a text-to-speech script. Following claims of active exploitation, Dark Souls stated on Twitter that all of the series’ PvP servers would be taken offline while the team investigated the allegations. This impacts only the PC platform. The PvP experience on Xbox and PlayStation consoles is unaffected.
Blue Sentinel, a popular Dark Souls anti-cheat program, is apparently working on a patch to prevent the bug from being exploited. However, the tool’s ability to mitigate risks isn’t assured.