If you can, it’s time to patch your console to avoid these Nintendo vulnerabilities in key games.

A highly impactful exploit has had Nintendo on high alert trying to patch the vulnerability that has affected 3DS, Wii U and Switch consoles. Affecting some of Nintendo’s online based games, this recently discovered issue has meant that attackers had gained unauthorised access to consoles during online play. It has reportedly been a while since Nintendo have attempted to patch the exploit called ‘ENLBufferPwn’ with live updates to tackle the problem.

A deeper dive into the details of the vulnerability have been shared by  PabloMK7Rambo6Glaz, and Fishguy6564 on GitHub. The Common Vulnerability Scoring System has ranked this situation as ‘Critical’. The GitHub users discovered that attackers can gain access to sensitive information through gaining remote control if players were to play an online game with them. This includes taking video or audio information by through code

Back in “2021/2022” @Pablomf6 reported the vulnerability to Nintendo and received $1000 reward for their cooperation to Nintendo’s HackerOne program. With MarioKart 7’s recent update after a decade, more affected games are now being fixed by Nintendo. According to GitHub the following titles were affected (note that MarioKart 8 and Splatoon have also now been fixed also as reported by NintendoLife):

Whilst it’s being argued that additional games may also be affected, there is no concrete confirmation at the moment.

The video below shows the exploit taking place on an online game of MarioKart 7. The YouTuber PabloMK7 uses an unmodified 3DS (right side) and an example of an attacker (left side).

The attacker achieves the upper-hand on the other console by copying return-oriented programming (ROP) payload. The victim’s console force-runs a custom firmware installer which is potentially an open door for the attacker to access sensitive information. As long as you’re running the latest version of 3DS software then your console should be completely safe with this now being fixed!

Affiliate Disclosure: Some of the links in this post may be affiliate links, which means I may earn a small commission if you make a purchase through those links. This comes at no extra cost to you. Thank you for your support!

Leave a Reply

Your email address will not be published. Required fields are marked *