A critical vulnerability has been identified in the rAthena MMORPG server software, which could allow a remote, unauthenticated attacker to take complete control of the server. This heap-based buffer overflow in the login server can be exploited to execute arbitrary code, potentially leading to server compromise, data theft, and significant service disruption. Organizations are urged to apply the recommended updates immediately to mitigate this severe risk.

The vulnerability is a heap-based buffer overflow within the login server component of the rAthena software. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted packet to the login server. This action overwrites memory buffers in a way that allows the attacker to execute arbitrary code on the target server with the privileges of the server application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for widespread impact with minimal effort from an attacker. Successful exploitation could lead to a complete compromise of the game server infrastructure. Potential consequences include theft of sensitive data such as player account credentials, manipulation of the game environment, extended service downtime, and the use of the compromised server as a pivot point for further attacks against the organization's internal network.

Immediate Action: Immediately update all instances of rAthena is an Multiple Products to a version that includes commit 2f5248b or a later version. After patching, monitor for any signs of exploitation attempts by reviewing server and network access logs for unusual activity.

Proactive Monitoring: Implement enhanced monitoring of the login server. Look for anomalous network traffic patterns, malformed login packets, and unexpected crashes or restarts of the login server process. Monitor system logs for signs of unauthorized commands or processes being executed.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Place the login server behind an Intrusion Prevention System (IPS) with rules designed to detect and block buffer overflow attempts.
• Restrict access to the login server port to trusted IP ranges, if possible.
• Enhance server hardening and ensure the rAthena process runs with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability, immediate action is required. We strongly recommend that all affected rAthena servers be patched to the latest version without delay. Although this CVE is not yet on the CISA KEV list, its high impact and ease of exploitation make it a prime target for attackers. If patching is delayed, compensating controls and proactive monitoring should be implemented immediately as a temporary mitigation measure.