Dark Souls PvP servers suspended due to remote code execution exploit

midian182

Posts: 7,770   +79
Staff member
What just happened? Being able to invade another player's game is one of the Dark Souls series' defining characteristics, but it seems this feature can be used for some very nefarious purposes. Yesterday (Sunday, January 23), Bandai Namco and From Software announced that PvP servers for all three titles were temporarily suspended due to a security vulnerability that could allow an invader to run code on a PC remotely.

Kotaku reports that the Dark Souls remote code execution (RCE) exploit was exposed during a Dark Souls 3 livestream a few days ago. You can see from this NSFW (sweary) clip how shocked The__Grim__Sleeper is when he gets invaded, the game crashes, and some text-to-speech starts playing.

Twitter user @SkeleMann and several subreddits confirmed the Dark Souls RCE vulnerability, including this Elden Ring community that claims it will also work in the upcoming title, one of the year’s most anticipated games.

It’s believed that the person who hacked the stream isn’t a hacker in the traditional sense. It's someone who has long known about the exploit and tried to warn From Software about it but felt the company ignored them. As such, the person invaded the stream to draw more attention to the RCE vulnerability, which could be used to brick PCs, steal information, and run programs in the background.

Bandai Namco responded on Reddit to reports of the exploit, confirming that the information had been submitted to the relevant teams. The official Dark Souls Twitter account also posted the following Tweet:

"PvP servers for Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered have been temporarily deactivated to allow the team to investigate recent reports of an issue with online services. Servers for Dark Souls: PtDE will join them shortly." PvP servers for Xbox and PlayStation consoles are unaffected.

The fan-made Blue Sentinel mod previously used against a saved game-destroying hack has been updated to protect against the RCE vulnerability. It’s believed that the latest exploit is not circulating in the wild and that only around four people directly involved with Blue Sentinel know how to use it.

Permalink to story.