Nintendo has quietly patched a security vulnerability that could give hackers access to compromised Switch, 3DS, and Wii U games.
Remember when Nintendo released its first update for Mario Kart 7 in 10 years? Well, it turns out that was to address a critical exploit that “could allow an attacker to achieve full console takeover”.
Whilst the issue was reportedly first noted back in 2021, PabloMK7, Rambo6Glaz, Fishguy6564 have been credited with the discovery of “ENLBufferPwn”, an exploit so serious, it was given a critical score of 9.8/10 in the CVSS 3.1 calculator.
As spotted by Nintendo Everything, the exploit was also reportedly patched in Mario Kart 8 Deluxe, Animal Crossing: New Horizons, ARMS, Splatoon 2, and Super Mario Maker 2, as well as Splatoon 3 and Mario Kart 8 a short while back, as – according to one of the people who discovered it – “combined with other OS exploits, the vulnerability could allow an attacker to achieve full console takeover”.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
— PabloMK7 (@Pablomf6) December 24, 2022
By reporting the issue via Nintendo’s HackerOne program, the hackers secured $1000 bounty. It remains unclear if affected Wii U games will similarly be patched.