Microsoft Fixes Critical Security Flaw in Age of Empires II

Microsoft Fixes Critical Security Flaw in Age of Empires II

TL;DR

  • Microsoft patched CVE-2026-50663, an 8.8-rated remote code execution flaw in Age of Empires II: Definitive Edition that allows attackers to execute code via malicious game invites.
  • The vulnerability stems from a relative path traversal weakness (CWE-23) requiring user interaction to exploit, meaning players must accept an invite or open content from an untrusted source.
  • Users must update the game to version 101.103.46651.0 or higher via Steam or the Microsoft Store; checking Windows Update alone is insufficient to fix this game-specific issue.

Critical Flaw Uncovered in Retro Classic

A newly patched security vulnerability in Age of Empires II: Definitive Edition has exposed players to the risk of remote code execution, potentially allowing hackers to seize control of their computers. Microsoft identified the flaw, tracked as CVE-2026-50663, and released a fix on July 14, 2026, just days after the advisory was published by the Microsoft Security Response Center.

The vulnerability lies in how the game handles network data, specifically through a relative path traversal error that could let an unauthorized attacker execute malicious code over a network. While the flaw is serious, it is not a "zero-click" attack; it requires a user to take action, such as accepting a game invite or opening content from an untrusted source, to trigger the exploit.

The Mechanics of the Attack

The security weakness is classified as CWE-23 (Path Traversal), which allows attackers to manipulate file paths to access or execute files outside the intended directory. Microsoft’s CVSS assessment rates the vulnerability at 8.8 under version 3.1, indicating a "High" severity level, while the older CVSS v2 score hits a maximum 10.0 for "Critical" severity.

Key characteristics of the attack include:

  • Network Reach: An attacker can reach the vulnerable component remotely without physical access to the victim's machine.
  • Low Complexity: The attack requires no prior privileges and has low complexity, making it accessible to less sophisticated hackers.
  • High Impact: Successful exploitation can compromise the confidentiality, integrity, and availability of the affected Windows account, potentially leading to full system control.

Because the attack relies on user interaction (UI:R), Microsoft emphasizes that the risk is tied to social engineering tactics, such as sending a malicious game invite to a friend who then clicks "accept."

Affected Versions and Scope

Microsoft has confirmed that the vulnerability affects Age of Empires II: Definitive Edition versions from 1.0.0 up to, but not including, 101.103.46651.0. This means any player running a version older than 101.103.46651.0 is at risk and must update immediately.

Version 101.103.46651.0 is the first build outside the vulnerable range documented in the CVE record. Players who have not yet updated to this specific build are exposed to the remote code execution risk when joining sessions from untrusted sources.

How to Update and Secure Your Game

Updating the game is the only effective mitigation against this flaw. Microsoft explicitly warns that simply checking that Windows Update completed is not sufficient, as the vulnerability resides in the game application itself, not the operating system. The corrective update must be delivered through the specific storefront or game-distribution channel used for the installation.

Steps for Steam Users

  1. Open Steam and navigate to the game’s Properties.
  2. Check the Updates page to ensure the latest build is downloading.
  3. Review the Downloads queue to confirm the update is active.
  4. If the expected build does not install correctly, use the "Verify integrity of game files" option.

Steps for Microsoft Store Users

  1. Open the Microsoft Store application.
  2. Click the [ ∙ ∙ ∙ ] symbol next to your profile picture.
  3. Select Downloads and updates.
  4. Press the Get updates button to automatically detect and install the latest changes.
  5. Launch the game and verify the title screen displays Build 43210 (or the equivalent version number corresponding to 101.103.46651.0).

Until the corrected version is installed, the safest action for affected users is to not run the game and to avoid accepting invites from untrusted sources.

Why This Matters for Retro Gaming Security

This incident highlights a growing trend in cybersecurity: even beloved retro games are not immune to modern threats. While Age of Empires II was originally released decades ago, its Definitive Edition relies on modern network architecture that, if not properly secured, can introduce critical vulnerabilities.

Security researchers have noted that the game's network architecture previously relied on "sanity checks" that were missing, leaving the system vulnerable to commands that could manipulate opponent units or cancel research. The patch for CVE-2026-50663 addresses this by introducing necessary sanity checks for every command received from another player, effectively closing the door on remote code execution via game invites.

As Microsoft continues to update its legacy titles, the focus remains on protecting users from indirect attacks that exploit the social nature of gaming. For players, the lesson is clear: always verify your game version and treat unsolicited invites with caution, as the line between a friendly game session and a security breach can be dangerously thin.


AndroGuider Team
Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.
Microsoft Fixes Critical Security Flaw in Age of Empires II Microsoft Fixes Critical Security Flaw in Age of Empires II Reviewed by Randeotten on 7/16/2026 05:49:00 AM
Subscribe To Us

Get All The Latest Updates Delivered Straight To Your Inbox For Free!





Powered by Blogger.