Tech News

Age of Empires II Flaw Let Attackers Take Over PCs via Multiplayer Game

Microsoft's July 2026 Patch Tuesday includes an unusual security flaw because it was found in Age of Empires II: Definitive Edition, the remastered version of this incredible game published by Microsoft. This vulnerability could lead to remote code execution on your PC. Here's what we know.

A Major Flaw in a Legendary Video Game

Age of Empires II... What a game. It takes me back to my youth, and I almost feel like picking it up again. Anyway, that's not the point. More seriously, Microsoft has patched a security flaw that allowed remote code execution (RCE) in Age of Empires II: Definitive Edition, the re-release of its strategy game.

The flaw, tracked as CVE-2026-50663, was disclosed on July 14, 2026, in the wake of the July 2026 Patch Tuesday. It is a directory traversal flaw associated with a CVSS 3.1 score of 8.8 out of 10.

According to Microsoft’s bulletin, an attacker could craft a malicious game scenario file capable of writing files outside the game directory. By placing files in other locations on the PC's disk, the attacker could manage to execute arbitrary code on the victim's system.

From a Multiplayer Lobby to Full Takeover

So how can a hacker execute code on a PC through Age of Empires II? That's the question you should be asking. It's a story of booby-trapped files that the user has to open (so, no zero-click attack here). Security researcher Rick de Jager, who discovered the issue, showed that the flaw could be reached through several execution paths. He also published a demo on X.

In one scenario, the victim joins the attacker's multiplayer lobby, accepts user-generated content (UGC), then loads the game. During this process, the game extracts an XS script that can be written to a location controlled by the attacker thanks to the flaw described in this article.

According to the researcher, another approach relies on the lobby file transfer mechanism. These transfers reached the same vulnerable file-writing function without the victim needing to load a game, reducing the level of interaction required for exploitation. Rick de Jager did not stop there, as he even developed a proxy capable of intercepting and modifying lobby traffic in real time. A kind of Burp Suite for Age of Empires II, which he literally calls that: Burp for AoE2.

With this tool, he published a custom map whose file name contained a payload to exploit the directory traversal flaw, overwrite the bug reporter executable, and then trigger a crash. As a result, when the error report was launched, the malicious file ran instead. The researcher adds that an attacker might instead target a DLL library used by the game to make the attack more discreet. This could even lead to full control of the victim's computer.

If you want to avoid losing the battle before you even start playing, you should install the latest version of Age of Empires II: Definitive Edition (via Steam or the Microsoft Store). It includes the security patch for CVE-2026-50663 (version 101.103.46651.0 is mentioned).

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.