Microsoft patches a critical vulnerability in Age of Empires II that let attackers execute code on players’ PCs through malicious game invites.
In a bizarre but highly dangerous convergence of gaming and cybersecurity, players of a legendary real-time strategy franchise suddenly found their physical computers at risk. Officially resolved on Tuesday, July 14, 2026, Microsoft issued an emergency security patch for Age of Empires II: Definitive Edition to eliminate a high-severity security vulnerability. The critical software bug allowed remote attackers to execute malicious code on a victim’s PC, effectively giving cybercriminals complete control over the compromised operating system. Released globally as part of Microsoft’s massive July 2026 Patch Tuesday update, the remediation forces players to update their local game installations immediately to prevent bad actors from turning casual multiplayer matches into gateway attacks for digital espionage.
The geographic and technical scope of where this vulnerability resides targets any Windows-based gaming PC running versions of Age of Empires II: Definitive Edition older than version 101.103.46651.0. The threat model is particularly dangerous because it exploits the trust inherent in online multiplayer lobbies. By tricking a target into joining a multiplayer game lobby or opening a custom, user-generated scenario file, an attacker could silently trigger the exploit over the network. The vulnerability did not require administrative privileges to execute. It ran directly with the permissions of the local logged-in player, allowing a hacker to place malware, siphon saved web browser credentials, or encrypt personal files.
The underlying engineering failure explaining why this bug existed is tracked as CVE-2026-50663, a severe relative path traversal flaw. Path traversal occurs when an application accepts external user inputs to construct file paths without adequately restricting access to the game’s designated root directory. In this case, when a player accepted a malicious game invite or joined a lobby, the game automatically accepted custom, user-generated scenario files and assets from the host. Because the game’s file-handling code failed to validate these incoming paths, attackers used specific path strings (like ../ sequences) to escape the game’s safe folder. This allowed the lobby host to write arbitrary executable files directly into sensitive startup directories on the player’s hard drive.
See Also: Suno Caught Scraping Millions of YouTube Songs in Code Leak
The timeline of the discovery shows that the vulnerability was quietly reported to Microsoft by security researcher Rick de Jager, who demonstrated the threat on social media by executing an exploit via a custom lobby invitation. The fix arrived during an unprecedented July Patch Tuesday cycle where Microsoft resolved a record-shattering 570 software vulnerabilities. While cybersecurity experts note that gaming systems are increasingly attractive targets for automated malware, Microsoft has confirmed there is no evidence suggesting this path traversal flaw has been actively weaponized in the wild before the patch.

