Major Souls exploit that took servers offline ‘to be made public before Elden Ring’

A person whose discovery of a major Dark Souls exploit forced Bandai Namco to pull all PC game servers offline has told VGC they will publicly disclose details of the vulnerability before the release of Elden Ring this month.

PvP servers for Dark Souls: Remastered, Dark Souls 2 and Dark Souls 3 have been offline for three weeks, following the discovery of a severe remote code execution (RCE) vulnerability, which was said to allow abusers to take control of other players’ PCs .

Now, one of the people behind the discovery of the vulnerability has told VGC they will publicly disclose details of the exploit, after Bandai Namco released a statement claiming it would fix the issue.

“FromSoftware has just announced their plan regarding the Dark Souls servers and confirmed the exploit will be fixed in Elden Ring,” the person told VGC. “As such, I am planning to go through with the public disclosure. For now, I don’t know the exact date since I will be quite busy next week, but it will be a few days up to a week before Elden Ring release.”

It’s typical that hacker groups publicly disclose details of vulnerabilities, to ensure that companies follow through with their promise to fix them.

As reported by VGC last week, the person behind the discovery of the RCE said that they had made Bandai Namco aware of it over a month earlier, and that neither the publisher nor developer From acted upon the warning until its discoverer demonstrated it in a public Twitch stream last month (as seen in the video below).

According to those familiar with the issue, the RCE enables the user to remotely run code on another player’s PC then take control of it, potentially giving them access to sensitive data or allowing them to run malicious software.

Although the exploit is clearly serious, it’s believed that only a handful of people outside of Bandai Namco know how to perform it, and they have no interest in using it for anything malicious.

The person who discovered the RCE alleges that there are serious issues with all of the Souls games’ shared network infrastructure and said they believe it’s “inevitable” that Elden Ring will feature many of the same exploits, which will “probably be carried without issues and used on release by malicious cheaters.”

In a statement published this week, Bandai Namco confirmed that online services for the Dark Souls PC games will remain offline until after the release of Elden Ring on February 25, as it worked to fix the exploit.

“We want to thank the entire Dark Souls community and the players who have reached out to us directly to voice their concerns and offer solutions,” it said. “Thanks to you, we have identified the cause and are working on fixing the issue.

“We have extended the investigation to Elden Ring – our upcoming title launching on February 25th – and have made sure the necessary security measures are in place for this title on all target platforms.

“Due to the time required to set up proper testing environments, online service for the Dark Souls series on PC will not resume until after the release of Elden Ring. We will continue to do everything we can to bring back these services as soon as possible.”

Dark Souls servers will have been down for over a month by the time Elden Ring releases.