Remote code execution flaw forces Activision to remove Call of Duty: WWII from Game Pass
Take action: If you are playing Call of Duty: WWII from the Microsoft Store and PC Game Pass, be aware that it's vulnerable, and hackers can attack you when you are using the game. Wait for an update from Activision. Yes, you can be hacked through a game.
Learn More
Activision was forced to remove Call of Duty: WWII from the Microsoft Store and PC Game Pass on July 5, 2025, after widespread reports emerged of hackers exploiting a remote code execution vulnerability to gain complete control of players' computers during live multiplayer matches.
The incidents started just days after the 2017 first-person shooter was added to Microsoft's Game Pass subscription service on June 30, 2025, attracting thousands of new and returning players to the aging title.
The cause of the vulnerability was attributed to an unpatched remote code execution flaw that remained present in the Microsoft Store and Game Pass versions of Call of Duty: WWII. The game publisher took down only the Microsoft Store and Game Pass version of Call of Duty: WWII because they were different versions of the game than listed on Steam and contained an old flaw that had been patched on other versions of the game.
The vulnerability was exacerbated by the game's reliance on peer-to-peer networking architecture, where individual players' computers act as match servers, creating direct connections between players that hackers could exploit.
The first wave of exploitation attempts began on July 2, 2025, just two days after the game became available through Game Pass. Players quickly began documenting incidents on social media where attackers successfully gained unauthorized access to their systems during live gameplay sessions.
The security vulnerability enabled:
- Remote code execution allowing complete system control
- Forced system shutdowns and restarts
- Unauthorized access to command prompt and system applications
- Installation of malware, ransomware, or remote administration tools
- Display of explicit content and inappropriate material
- Desktop wallpaper manipulation and system file access
- Potential data theft and credential harvesting capabilities
The number of affected players has not been disclosed by Activision but the incident gained significant attention as thousands of Game Pass subscribers. Multiple prominent streamers and content creators were documenting successful attacks against their systems in real-time.
Activision has not provided a timeline for when the game might return to the Microsoft Store or Game Pass, and has been vague about the "issue" that caused the removal.
