Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
What just happened? Just days after its arrival on PC Game Pass, Call of Duty: WWII has been pulled offline for those using Microsoft's subscription service. The abrupt removal follows a surge of reports from the gaming community about a critical security vulnerability that allowed attackers to remotely take control of players' computers during online matches.
The issue surfaced almost immediately after the 2017 shooter was added to the Game Pass library at the end of June. While the game remains available on platforms like Steam and Battle.net, only the Microsoft Store and Game Pass versions have been affected by the takedown.
Activision, the publisher behind the Call of Duty franchise, has offered few details about the nature of the problem. The company's official statement simply noted that the game was "brought offline while we investigate reports of an issue."
I JUST GOT HACKED PLAYING WW2! EVERYONE DO NOT PLAY WW2 ON GAMEPASS! @Xbox @XboxSupport @Activision @charlieINTEL @CODUpdates @FaZeScope @Mobbing pic.twitter.com/I5pehK1kHK
– Wrioh (@wrioh75753) July 3, 2025However, evidence shared by players and cybersecurity experts suggests that a remote code execution (RCE) exploit is the root cause. This RCE flaw reportedly enabled malicious actors to run unauthorized code on other players' PCs. Victims described a range of disruptive incidents, including sudden pop-up messages, forced computer shutdowns, and desktop backgrounds replaced with explicit images. In some cases, attackers used Notepad to taunt players or displayed messages claiming ownership of the compromised system.
The vulnerability appears to be linked to the game's peer-to-peer networking system, where one player's machine can act as the server for a match. This setup, while efficient for matchmaking, exposes users to greater risk if security holes exist, as it allows direct communication between players' computers.
Gamers are going ballistic
Call of Duty WWII, available on Xbox PC Game Pass, contains an unpatched RCE exploit
Someone is trolling gamers with Notepad pop ups, PC shutdowns, and gay pornography pic.twitter.com/FLNzRbLt1s
Clips and screenshots posted to social media by affected players quickly spread awareness of the threat. One viral video showed a player's session interrupted by a text window declaring, "just RCE'd your ass," followed by a desktop wallpaper swap.
Cybersecurity collectives also documented similar incidents, warning that the exploit could potentially be used for more serious attacks, such as deploying malware or stealing personal data.
As of now, there is no timeline for when Call of Duty: WWII will return to PC Game Pass or the Microsoft Store. The incident has reignited concerns about the security of older multiplayer games, particularly those that utilize peer-to-peer networking and lack ongoing maintenance.
Similar vulnerabilities have previously affected other high-profile games, sometimes resulting in months-long outages while developers worked on fixes. As a notable example, in early 2022, the Dark Souls franchise on PC was affected by a critical RCE vulnerability that allowed attackers to execute malicious code on other players' machines during online play. As a result, online services for Dark Souls: Remastered, Dark Souls II, and Dark Souls III were taken offline for over nine months while developers worked on a comprehensive fix.
Players are advised to avoid launching the game on affected platforms until Activision provides further updates or a patch is released. The publisher has yet to announce any concrete steps toward resolving the issue or compensating affected users.
English (US) ·