Nintendo have taken down the Wii U Servers for Mario Kart 8 and Splatoon 1. Officially for temporary Network maintenance, but it’s likely they are (finally) looking into the impact of the ENLBufferPwn, an unpatched exploit on 3DS/Wii that allows attackers to take remote control of your console simply by joining the same online game as you.

What is ENLBufferPwn for Nintendo Switch, Wii U, and 3DS?

ENLBufferPwn is a hack impacting first party Nintendo games on 3DS, Wii U, and Switch. It was disclosed back in December 2022 and it appears Nintendo haden’t fixed all the games at the time, in particular older games running on their older generation consoles (whether for financial or technical reasons is unclear).

Due to older and less secure code stacks, the 3DS and Wii U are particularly impacted by the hack which allows a malicious user to take control of these consoles remotely, simply by joining the same game as you. (Switch is less impacted because running arbitrary code through a game exploit is much more difficult there). From the initial disclosure:

ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victim’s console by just having an online game with them (remote code execution). It was discovered by multiple people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository has been safely disclosed after getting permission from Nintendo.

The vulnerability has scored a 9.8/10 (Critical) in the CVSS 3.1 calculator.

Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):

• Mario Kart 7 (fixed in v1.2)
• Mario Kart 8 (still not fixed)
• Mario Kart 8 Deluxe (fixed in v2.1.0)
• Animal Crossing: New Horizons (fixed in v2.0.6)
• ARMS (fixed in v5.4.1)
• Splatoon (still not fixed)
• Splatoon 2 (fixed in v5.5.1)
• Splatoon 3 (fixed in late 2022, exact version unknown)
• Super Mario Maker 2 (fixed in v3.0.2)
• Nintendo Switch Sports (fixed in late 2022, exact version unknown)
• Probably more…

Videos shared online at the time of the disclosure showed amusing (but concerning) videos demonstrating how easily someone could mess up your game simply by joining the same online room as you, and the exploit was also used to demonstrate the possibility to remotely install custom firmware on the console (full access to a console is a feature we generally like here at wololo.net, but obviously not if it’s done without you knowing about it). Some of these videos have since been removed, but you can still find a few of them on youtube.

ENLBufferPwn, is my Nintendo Switch at risk?

It seems Nintendo are finally taking action to protect 3DS and Wii U owners (malicious users could easily leverage the hack to permanently brick your console), by removing Online access for two of the still impacted games, Mario Kart 8 and Splatoon 1.

下記Wii Uソフトはオンラインプレイに関する脆弱性が発見されたため、現在緊急メンテナンスを実施しています。
・スプラトゥーン
・マリオカート８
対応に時間を要する見込みで、再開時期は未定です。誠に申し訳ございませんが、何卒ご了承くださいますようお願いいたします。 https://t.co/cQ3JtDhXQC

— 任天堂サポート (@nintendo_cs) March 3, 2023

It is not officially stated that the maintenance is to address ENLBufferPwn of course, but the listed games (Splatoon and Mario Kart 8) makes it suspiciously likely. That’s at least what the devs at Pretendo believe:

Nintendo seems to have finally taken down the servers for games affected by ENLBufferPwn, the 3DS/WiiU exploit which allows attackers to gain full console access remotely just by joining a game with them
They do not know when the servers will be back online. Hopefully it is soon! https://t.co/8IcaTwUdS3

— Pretendo (@pretendo@pretendo.network) (@PretendoNetwork) March 3, 2023

The takedown is supposed to be a temporary maintenance change, so hopefully for the gamers who still actively use their Wii U for online gaming, these will come back soon. It’s of course very possible Nintendo will choose not to fix the bug and instead simply sunset online features for these games on Wii U.

As mentioned above, although Switch games are similarly impacted, getting arbitrary code execution to run on the Nintendo Switch is much more difficult than on older consoles, and to our knowledge, there is no weaponized version of this hack in the wild for Nintendo Switch.