YYaaa News

Age of Empires II lobby bug allowed remote code execution

TL;DR

A malicious Age of Empires II lobby could trigger CVSS 8.8 RCE; Microsoft patched it July 14.

A multiplayer invitation could turn Age of Empires II: Definitive Edition into a remote-code-execution path. Microsoft patched CVE-2026-50663 on the July 14 Patch Tuesday. The Windows vulnerability has a CVSS score of 8.8.

Microsoft classified the bug as relative path traversal. An attacker prepares malicious game content and persuades a player to join a multiplayer lobby; after the player accepts or automatically accepts UGC, the content can write malicious files outside the intended directory and lead to code execution on the victim's computer.

Rapid7 wrote that successful exploitation lets an attacker place files in unexpected locations. Researcher Rick de Jager summarized the demonstration as joining an attacker's lobby, accepting or auto-accepting UGC, and obtaining RCE. TechCrunch reported that the chain could give the attacker control of the victim's computer.

Microsoft rated the vulnerability Important and assessed exploitation as less likely. Its record shows no public disclosure and no detected exploitation. The fix shipped with the July 14 security update, not an April release.

Players must update to at least 101.103.46651.0. Microsoft provided no alternative mitigation.

via TechCrunch / Microsoft MSRC / Rapid7 / Zero Day Initiative
罕見:加入《世紀帝國 II》大廳可觸發 RCE|Microsoft 修補 CVSS 8.8 漏洞