Call of Duty: WWII Pulled from Microsoft Store Due to Critical RCE Hack
Activision has disabled the Microsoft Store version of Call of Duty: WWII after hackers began exploiting a critical vulnerability that enabled remote access to players’ computers. The affected users were those who installed the game via Game Pass—a recently launched build distinct from the version distributed through Steam.
Last week, the company issued an official statement announcing the suspension of the game, citing only “reports of an issue” without disclosing its nature. It was soon revealed that the suspension stemmed from a severe remote code execution (RCE) flaw, which allowed malicious actors to install malware and take control of victims’ devices.
According to information obtained by TechCrunch from a source familiar with the situation, the game was pulled offline in direct response to a wave of successful intrusions. Social media reports corroborated players’ complaints, some of whom were reportedly hacked in real time during gameplay sessions. Reddit threads quickly became a hub of discussion, with users warning that the game had become unsafe to launch on PC.
It has since been confirmed that the compromised build of Call of Duty: WWII distributed via Microsoft Store and Game Pass differed significantly from its Steam counterpart, containing outdated code with a long-patched vulnerability—an oversight that ultimately enabled the breach. Two independent sources verified that the issue had already been addressed in the Steam version, and that the current threat was exclusive to the subscription-based release.
At the time of publication, the Microsoft Store version of the game remains offline, with Activision’s official page reflecting an ongoing investigation. Company representatives have not responded to media inquiries.
This incident marks yet another entry in a troubling series of security mishaps. In 2024, a threat actor discovered a method to bypass Call of Duty’s anti-cheat system, resulting in the automatic banning of thousands of legitimate players. That same year, a separate investigation exposed the distribution of an infostealer—a type of malware designed to harvest passwords—via game-related vectors. Even earlier, in 2023, a self-propagating virus was found infecting users of Call of Duty: Modern Warfare, exploiting a vulnerability that had gone unpatched for years.
Meanwhile, other game studios are reinforcing their cybersecurity and anti-cheat teams. In contrast, Activision has moved in the opposite direction, repeatedly downsizing its workforce in recent years—including the very personnel responsible for safeguarding its digital infrastructure.
