The Dark Souls RCE Exploit Was Years in the Making

Dark Souls 3 vulnerability concerns don't begin and end with January's exploit demonstration.

On January 22, reports alleging that a Dark Souls 3 vulnerability was exposing PC players to remote code execution (RCE) threats — a security vulnerability allowing cyber attackers to run any command on a target’s PC — began to surface. The day after, publisher Bandai Namco took down PVP servers for Dark Souls: Prepare to Die Edition, Dark Souls 2, Dark Souls 3, and Dark Souls Remastered. Since going offline, Bandai Namco has offered no further updates on its investigation, leaving players confused about the state of online modes and an unclear picture of what prompted the downtime.

Speaking to Fanbyte, LukeYui, the creator behind the popular Dark Souls security mod Blue Sentinel, and nrssr, who has been credited with discovering and demonstrating the recent vulnerability, say they have contacted Bandai Namco to report separate Dark Souls 3 vulnerabilities on multiple occasions. Past attempts to relay exploits to developer FromSoftware and communicate with Bandai Namco — including the disclosure of another RCE vulnerability back in 2020 — were said to be difficult and met with little to no action. The existence of serious vulnerabilities may extend across the Souls franchise, causing concern among players anticipating Elden Ring’s February launch.

The Dark Souls 3 RCE vulnerability that’s currently in the spotlight is one that nrssr, who uses the moniker for privacy, says they reported back in early December 2021. In an email to Bandai Namco, they provided documentation on the vulnerabilities and fixes in addition to video demonstrations of how the RCE functions. Although Bandai Namco’s support correspondence indicates it passed on the documentation to security teams working on Dark Souls, FromSoftware did not take action to address the vulnerability. This led nrssr to write their own community patch and carry out a plan to grab public attention, hoping to alert FromSoftware.

“Given FromSoftware’s track record about fixing exploits in their online games, I was not expecting them to act quickly,” nrssr explains. “I wanted to make sure the community had some form of protection ASAP.”

Their plan consisted of a public demonstration of the exploit on an unsuspecting Twitch streamer known as The__Grim__Sleeper. A clipped video shows the streamer’s Dark Souls 3 window crashing before the Microsoft text-to-speech voice begins reading a copypasta. The incident led to several days of headlines and prompted the Dark Souls community to speculate about its motivations. Many believed it was an attempt to raise awareness for a serious threat rather than a malicious attack. In their conversation with Fanbyte, nrssr confirms their goal was to gain FromSoftware’s attention.

Some reports indicate this happened to multiple streamers. However, nrssr says this was the only instance of the exploit being used for public demonstration; other claims are “straight up false.” They also noted early reports claiming that information on how to access the exploit had been leaked to the public are also wrong — though likely the result of community panic over security threats.

While the exploit demonstration stemmed from attempts to push Bandai Namco into further action last December, the folks behind Dark Souls’ community-driven security patches have shared experiences of other warnings going unpatched. Even before the Blue Sentinel hotfix issued on January 22 addressed nrssr’s findings, LukeYui worked on the mod to protect Dark Souls 3 PC players from more than just cheaters. Blue Sentinel also aims to stop other, more malicious attacks that can leave players’ PCs vulnerable.

“The mod protects against many different types of cheats, which range from some simple and publicly available scripts (e.g. a cheater crashing your game) to serious security vulnerabilities such as RCE exploits,” LukeYui explains. These vulnerabilities include an RCE LukeYui disclosed to Bandai Namco twice back in 2020. After a third report filed in 2021, LukeYui patched in mitigation via Blue Sentinel and submitted a report to assign the vulnerability a CVE-ID — a process that publicly catalogs cybersecurity vulnerabilities through databases like NVD. This process made LukeYui’s discovery public.

“The response was that they had ‘passed on the information to the developers’, but when I heard nothing back, I contacted them again, which received more or less the same response,” LukeYui says. “When it was clear that nothing was going to happen, I developed Blue Sentinel.”

Not all of the exploits identified in Dark Souls 3 are major risks to players’ PCs in the way an RCE vulnerability is. However, some in-game exploits allowed malicious players to ruin save files and prompted unwarranted bans for others. LukeYui documented infamous threats in the Dark Souls community — like the Item Give and NG+ cheats — months before malicious players discovered them.

Along with reports on the RCE vulnerability, LukeYui disclosed the NG+ cheat to Bandai Namco before it began wreaking havoc on the community. The mod creator describes the first RCE finding as “less severe” than nrssr’s discovery; it can cause similar damage but is harder to replicate. Even so, both are critical network vulnerabilities that potentially put more than just beloved save files and game accounts at risk. LukeYui says the RCE demonstrated in January “can do a lot more,” posing a risk that affects more players faster than the older vulnerability.

You May Also Like:

Aging games inundated with hackers ruining in-game experiences isn’t necessarily a surprising sight, but cybersecurity firm Kaspersky describes RCEs as “one of the most dangerous types of computer vulnerabilities,” leading to the theft of sensitive data, hijacked systems, or loss of control over components. After years of in-game cheats and continued vulnerability reports, the Dark Souls community and those working to discover potential threats are frustrated.

In conversations with nrssr and LukeYui, their frustration is clear. While companies like Bandai Namco should have processes in place for reporting, escalating, and investigating security vulnerabilities that pose threats to users, nrssr speculates the chain is breaking down somewhere. To them, communication obstacles are “the most important issue that FromSoftware needs to address,” as it’s hard for the community to make sure vulnerability disclosures are sent to the appropriate avenue. LukeYui doesn’t seem to know what to make of the years of inaction. While they have received communications from Bandai Namco support stating that reports have been passed along for investigation, there’s little to show for it.

In one 2020 exchange with the Blue Sentinel creator, a Bandai Namco support representative confirmed players mistakenly banned after becoming targets of the Item Give cheat were getting unbanned. They also stated FromSoftware was discussing a solution. However, that solution may not have been a fix from the developers. LukeYui says their understanding is that Bandai Namco “just turned off bans for invalid items,” meaning the vulnerability still remains.

There’s a concern that some of the most serious threats are falling by the wayside — and the urgency of the matter only grows with Elden Ring on the horizon.

When asked about shared threats among FromSoftware’s titles outside of Dark Souls 3, nrssr says they only found this latest Dark Souls 3 RCE vulnerability before authoring the proof-of-concept code to exploit it. However, they claim there are others researching Elden Ring’s Closed Network Test build, and confirmed that the vulnerable code exploited in mid-January was also present in the CNT.

They note “present” is an important distinction when describing the situation. To their knowledge, no one had written the proof-of-concept code for Elden Ring, so it may not be possible to execute this same RCE exploit. Both Dark Souls Remake and Dark Souls 2 are also said to host the vulnerability. The same situation applies for players using RPCS3 — the free and open-source emulator and debugger for PlayStation 3 games — to emulate Demon’s Souls on PC. The vulnerable code is there, but there is no exploit proving the same RCE is possible.

On Bandai Namco’s end, the company has acknowledged an ongoing investigation. A community manager from the Bandai Namco Europe team responded to users on Reddit flagging the initial RCE reports, noting the concern was delivered to relevant internal teams. A tweet from the Dark Souls Twitter account says PC PVP servers are “temporarily deactivated to allow the team to investigate recent reports of an issue with online services.” However, neither the publisher nor developer have commented on specific vulnerabilities, leaving players with pressing cybersecurity concerns in the dark.

Fanbyte has reached out to Bandai Namco but has not received a response. We will update this story should they follow up with a comment.