
A recent update for Age of Empires II: Definitive Edition fixed a remote code execution (RCE) vulnerability that could have allowed attackers to compromise other players' systems through multiplayer.
The flaw, tracked as CVE-2026-50663, stemmed from a relative path traversal bug that security researcher Rick de Jager demonstrated could be exploited through custom scenarios and even multiplayer lobby file transfers.
The vulnerability was reported to Microsoft through coordinated disclosure by de Jager, who published technical details and a proof-of-concept video on X. According to the researcher, the bug had already been fixed in April with Age of Empires II: Definitive Edition update 174992, while the official CVE assignment arrived later as part of Microsoft's July Patch Tuesday.
Age of Empires II: Definitive Edition is the remastered version of Microsoft's classic real-time strategy game and continues to maintain a large online multiplayer community, with regular updates and support for custom content.
Microsoft classifies the vulnerability as a relative path traversal issue, with a CVSS v3.1 score of 8.8. According to the advisory, an attacker could craft a malicious game scenario file that writes files outside the intended game directory. By placing files in unintended locations, the attacker could ultimately execute arbitrary code on the victim's system.
While Microsoft's advisory describes an attack involving a specially crafted scenario file that a victim must open, de Jager's research showed that the bug could be exploited through multiple reachable code paths.
In one attack scenario, a victim joins an attacker's multiplayer lobby, accepts user-generated content, and loads into a match. During that process, the game extracts an XS script that can be written to an attacker-controlled location using the path traversal flaw.
According to de Jager, an even more effective approach involved the game's lobby file transfer mechanism. Because those transfers reached the same vulnerable file-writing functionality without requiring the victim to load into a match, they reduced the amount of user interaction needed for exploitation.
To demonstrate the attack, the researcher reverse-engineered the game's networking protocol and built a proxy capable of intercepting and modifying lobby traffic in real time, describing it as a “Burp for AoE2.”
Using the tool, he demonstrated how an attacker could advertise a custom map with a path traversal filename, overwrite the game's bug reporter executable, and then crash the victim's game. When the crash reporter launched, the overwritten executable would execute instead. De Jager added that a more sophisticated attacker could instead overwrite one of the game's DLLs, making the compromise less obvious.
Players should ensure they are running the latest version of Age of Empires II: Definitive Edition, as the vulnerability was fixed in update 174992. Users running older versions should avoid opening custom scenarios or accepting user-generated content from untrusted players, as these mechanisms formed the basis of the demonstrated attacks.







Leave a Reply