A recent update for Nintendo WiiU and 3DS games fixed a security exploit that would have allowed hackers to take over users’ consoles when playing specific titles. First spotted by Nintendo Everything, the ENLBufferPwn vulnerability had already been reported to Nintendo in 2021, and it was also featured in a handful of recent Nintendo Switch games.
One of the players who discovered the vulnerability, Pablomf6, stressed that an attacker could take over a player’s system just by playing online with someone. That attacker could then use that exploit to obtain a player’s sensitive information.
On the Common Vulnerability Scoring System Calculator, the exploit had a score of 9.8 (or “critical”).
Last week, some Nintendo users noted on social media that Mario Kart 7 had received its first update in a decade, and this is why: Nintendo’s patch addressed that security flaw, and similar patches were released for Super Mario Maker 2, Animal Crossing: New Horizons, and Splatoon 2.
More recent Switch games like Splatoon 3 and Nintendo Switch Sports also had the exploit, but Nintendo has reportedly already updated those titles, according to Nintendo Everything.
However, Nintendo Everything pointed out that the vulnerability currently still exists in the original Splatoon and Mario Kart 8 for the WiiU. At time of writing, neither game has been patched, and it’s unknown when a fix for those two titles will arrive.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
— PabloMK7 (@Pablomf6) December 24, 2022