CVE-2022-24125 - Exploiting Dark Souls III Matchmaking Servers – How Attackers Could Push Malicious Requests to Thousands of Players

In early 2022, a serious vulnerability was discovered in the matchmaking servers of Bandai Namco and FromSoftware’s action RPG Dark Souls III. Labeled CVE-2022-24125, this flaw allowed remote attackers to abuse the network protocol and send arbitrary push requests to any client connected to the matchmaking servers—effectively sending messages or even code to hundreds of thousands of machines with little restriction.

This exclusive deep-dive explains how the vulnerability works, why it happened, and demonstrates how simple it was for attackers to exploit.

2. Background: Dark Souls III and Bandai Namco’s Matchmaking Servers

Dark Souls III connects players together via Bandai Namco’s central matchmaking servers. These servers help set up multiplayer sessions, invasions, co-op, and more.

A lot of networking logic is implemented both on the client and server. Importantly, not all restrictions and validations are handled server-side. Sometimes, clients are trusted to “do the right thing,” which often leads to vulnerabilities.

CVE-2022-24125 rests in the way RequestSendMessageToPlayers requests are handled

- The matchmaking server accepts requests from clients to “push” messages to other players (for things like matchmaking notifications, game invites, etc.).
- Restrictions on who/when these push requests could be sent were only enforced on the client side.
- Malicious actors could simply modify their own client or write a custom script to send *any* message, *to any player(s),* at any time.

Official CVE Details

> The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client.

See: https://nvd.nist.gov/vuln/detail/CVE-2022-24125

In Layman’s Terms

The game’s server should act as a bouncer at a club—checking IDs and making sure only legit requests get through. But in this case, the "bouncer" just let anyone in, believing their own say-so.

Attackers reverse-engineered the messaging system, then wrote scripts or modified clients to send custom RequestSendMessageToPlayers requests. The server would gladly relay these to targeted players, regardless if it made sense—to one player, to all connected players, or even to records from previous sessions.

This exposed potential for

- Spam: Flooding players with unwanted pop-ups/notifications.

Social Engineering: Sending fake “official” prompts.

- Extension: If message structures could carry code or binary data, the door opens wide for RCE (Remote Code Execution).

5. Code Sample: Sending Arbitrary Push Requests

Below is a conceptual example in Python. *Note: This is for educational purposes ONLY. Actual implementation details are more complex and protected by IP law; this is a generic template.*

import socket

SERVER_IP = 'matchmaking.bandai.com'  # Pseudonymized for safety
SERVER_PORT = 12345                   # Example port; original port is unknown

# Crafted RequestSendMessageToPlayers message
def build_push_request(target_user_ids, message):
    """
    Construct payload as expected by the Bandai Namco server protocol.
    """
    payload = b'DS3MSG'             # Protocol signature - hypothetical
    payload += len(target_user_ids).to_bytes(1, 'big')
    for user_id in target_user_ids:
        payload += user_id.to_bytes(8, 'big') # Unique user ID, 8 bytes
    payload += (len(message)).to_bytes(1, 'big')
    payload += message.encode('utf-8')
    return payload

# Connect and send fake push request
with socket.create_connection((SERVER_IP, SERVER_PORT)) as s:
    push_payload = build_push_request(
        target_user_ids=[100001, 100002, 100003],   # Victim user IDs
        message="Congratulations! You won a free item! Click to claim."
    )
    s.sendall(push_payload)
    print("Sent fake push request to target players.")

*Note: The actual networking protocol used by Dark Souls III is encrypted and proprietary. The above serves purely as a teaching demonstration.*

6. Potential Impact

- Scale: Attackers could target *all* players currently online—potentially over 100,000 users—because there was no server check.
- Disruption: Repeated attacks could crash clients, flood them with spam, or trick less savvy users.
- Extended Threats: If message parsing is flawed, there’s risk of buffer overflow or remote code execution.

7. References and Further Reading

- CVE-2022-24125 at NIST
- Original Vulnerability Disclosure at ZDI
- Dark Souls III Community Alert

Security Research

- Dark Souls III “Souls Networking Framework” Reverse Engineering (Github)
- The Community Response and Server Shutdown announcement (Polygon)

8. Conclusion

CVE-2022-24125 was a wake-up call for game developers: *Never trust the client—always validate on the server side!* By trusting players to not abuse their own client software, Bandai Namco and FromSoftware opened the door to a highly scalable and easy-to-exploit vulnerability. Fortunately, once details emerged, servers were taken offline for several months until proper validation was implemented.

As gamers, always be wary of unexpected messages—even in your favorite games. As developers, make sure your servers are the only place decisions and restrictions are enforced.

Timeline

Published on: 03/20/2022 01:15:00 UTC
Last modified on: 03/28/2022 18:59:00 UTC