Several of the first-party games from Nintendo on 3DS, Wii U, and Switch are vulnerable to an exploit that allows remote code execution.
This was reported through a GitHub page and an example was also demonstrated in a video. This was one of the reasons Nintendo decided to release a patch for Mario Kart 7 recently despite it being a decade-old game that launched for the Nintendo 3DS.
This exploit allows any hacker to execute a remote code on the target system i.e 3DS, Wii U, or Switch. All they need to do is to start an online match with the target machine. See the video in action below.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
🧵(1/7) pic.twitter.com/4qewU5YQ9x— PabloMK7 (@Pablomf6) December 24, 2022
Here is a list of the games that have been discovered to be vulnerable to this exploit. There are possibly more games that might be affected by this issue.
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (still not fixed)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (still not fixed)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
- Probably more…
If you want to read more about the exploit, check up the GitHub page. It offers details on how this exploit works. It is being codenamed the ENLBufferPwn vulnerability and it is astonishing that this affects many games from Nintendo’s first-party studios, even the recently released Splatoon 3 was affected by it until it was patched later.
While these kinds of things are usually found for older consoles, they can still happen in some of the modern games which shows that this is an issue with how Nintendo has implemented multiplayer for its hardware.
There is a very rare chance that you might be affected by this exploit but it is better to be safe than sorry. This exploit will allow an attacker to record audio/video from your hardware as well as take any other sensitive information, so it is best to avoid playing these games for now.
Source via GitHub