Cyberpunk Vulnerability and a Temporary Ban on Save Games
TL;DR
Very recently, news broke that the community discovered a vulnerability with Cyberpunk 2077 that would allow for arbitrary (potentially malicious) code to be executed when a save game is loaded. This means that there is potential for someone to hide malicious code in a save game and have an unsuspecting user load it, thus executing said code.
CDPR have since been made aware of this vulnerability in their game, but until they have fixed it, we’re forced to impose a temporary ban on new save game uploads effective from now.
It is strongly recommended to install Cyber Engine Tweaks by yamashi, which patches this vulnerability.
The exploit
In essence, the exploit allows a nefarious user to manipulate a save game file in such a way that it appears to load normally (so the unsuspecting user does not notice anything wrong), when in reality it will redirect to an external dll used by the game. This can then be used to execute malicious code on the victim’s PC.
We’d like to express our gratitude to the Cyberpunk modding community and PixelRickyRick in particular for finding and reporting this serious exploit to CDPR.
(You can find a more technical and detailed explanation of how exactly the exploit works in this PSA on the Cyberpunk subreddit u/Romulus_Is has thankfully written up.)
At this moment, the exploit/vulnerability is confirmed and CDPR have acknowledged it and pledged to fix the issue as a matter of urgency.
What you can do to be safe
We strongly recommend using Cyber Engine Tweaks by yamashi, who has provided a patch fixing the vulnerability and preventing the exploit from working. A huge thank you goes out to yamashi for moving so quickly.
If you are not using Cyber Engine Tweaks yet, we advise you to install it especially if you’re using mods and/or save games from other sources. Cyber Engine Tweaks installs seamlessly with our mod manager Vortex.
Apart from that, please be cautious and only download/install save games and 3rd party tools (generally speaking, tools that contain exe and/or dll files) from trusted sources until CDPR have addressed this issue.
Temporary ban on save games
It is unfortunate that the game shipped with this vulnerability, but CDPR have since promised to address the issue as soon as possible. Until we can confirm the exploit has been fixed, we are forced to impose a temporary ban on save games effective from now. Any save game uploaded to the site after this announcement will be removed.
We will be updating this post when CDPR have fixed the exploit at which point we should be able to lift the temporary ban on save games.
We apologise for the inconvenience and thank you for your understanding.
59 comments
Comments locked
A moderator has closed this comment topic for the time beingMore info: https://forums.cdprojektred.com/index.php?threads/hotfix-1-12.11079314/
I'm not going to be buying Cyberpunk again, at least until they make it playable. What did they expect? That they could release a broken game and no-one would notice?
Even RDR2, a game that is well-owned and even won two steam awards for 2020 had launch issues when it was available for PC (I got it on Rockstar Launcher) and it took Rockstar months to iron out the majority of the problems. Those that owns the game on Steam have already a RDR2 game with two or three huge patches ready for them on the day of the release (the launch was a month after that one on Rockstar launcher).
Therefore I do not agree with the majority of the complaints here. Yes I understand that there are problems that should not be a part of the delivered product but it is not fair to complain or criticize for that. Give the company some credit (because of their earlier products and current service) and see if they are able to iron it out the months after. This is not the first game that is unfinished at launch. Hell, even Batman: Arkham Knight got two delays and had a lot negative reviews on the day of launch. That game is now having a good rating because of the numerous patches the months after.
Crunch wouldn't happen if they spread the work out over a longer period of time and managed their time better. A lot of game development is smooth sailing for a while, then cram for a deadline. Panic when things go wrong. Cram some more and then go back to smooth lazy sailing once the deadline has passed.
This isn't only a case of the public nagging them. Sure it didn't help, but there isn't 8 years of development worth of content in the game. Not to mention how the CEO was talking about about the many features we never got just last year. Just a couple months before release he even stated "The game runs surprisingly well" on the older consoles, which was a blatant lie. Why all the hoopla about putting a penis on a girl character when it changes absolutely nothing in the game (You can't even see it anywhere in the game except the menu)?
What actually happened in the CEO made a ton of promises and got a fat head from an inflated ego. Developed a game for 6-7 years, then somehow got Keanu Reeves involved, and at the same time also announced a release date. Wanting to brown nose to Keanu, they tried to change everything they had developed for 6-7 years to revolve around him. In about a year they had to rebuild everything they had instead of finishing content that needed to be finished, which is probably why so many of the features that were talked about were cut or are barely in the game.
They had to build a game in the time that's usually used for polish. All because of the ego and hubris of the CEO.
Why not complete a product and test it properly?
Because something "unplayable" is sold, regardless of the exploit it is full of bugs / crashes on everything.
Is it possible that they do not notice a thousand defects?
No ! verdict an anime 1!
Now they do not care and all!
Words words words...
I don't use Twitter and wouldn't of been aware of this if not for youtube reports and the Nexus Forums.
CDPR have become a joke.
I have 167 hours played in early access BG3 and its an amazing game - great looking graphics, tons of hidden things to discover when exploring, many subtle layers to dialogue, lots of character variety, and overall looking to be one of the best games of 2021 if it gets released this year.
People don't have to buy early access either - there choice and there is no gun pointing to one's head. There is full disclosure on buying an EA game for the buyer to beware. Since it is early access they also want people to help test and provide feedback which means those serious about interest, not those looking to pick up game for cheap and then sit on it till full release.
Either way there is no real comparison between BG3 EA and a fully released Cyberpunk with misleading advertising and broken promises.
Still Cyberpunk is still an amazing game and I got two play throughs before I set it aside to wait for official patches and updates.
Not really? I mean in some cases yes, but in this very particular case, its a common tactic done to get early beta testing without just giving the game away. Theyre very up front and very open about the state of the game, and if you bought it expecting anything else, its totally on you. If you wanted a finished product, you should wait.
This mentality right here is why early access is such a terrible idea to begin with. People look at it and are like 'oh i can play the game EARLY' when all early access is, is just a glorified beta test or in many cases not even out of alpha test.
The problem is people are dumb and equate early access/beta/alpha to being a demo/preview. You see it all the time. Company puts out an Alpha/beta or enters early access people get access and immediately the forums and anywhere talking about it is full of people complaining about all the bugs and how the game is unfinished, and in cases where they paid demanding a refund.
Pathetic.
It has nothing to do with not playing the game for yourself; but it's about customizing your character.
Some people don't want to spend hours and hours customizing their character and some people ARE doing that and uploading those 'saves' which is only for the cosmetic character preset.
TL:DR People use game saves to 'save' time in character customization.
Making a custom V takes hardly any time.
i fully agree.
imagine, they are also people out there who are too lazy and stupid to edit a simple ini file, instead they using mods.
editing the control scheme takes hardly any time.
/irony off
yeah i know, dont feed the troll.
Look at you and your white knight s*** getting all offended on behalf of people you don't even know. Why do you give a s*** about them or what I do with my time? You're obviously judging me for calling out other people on being lame. I don't give a s*** about them. I'm just surprised these people can't be bothered to use the stock V or take 10 seconds swap a nose, hair color, or skin shade. They're trying to save time? They probably spent more time browsing, downloading, unpacking, and moving the save file than it would have to just make their own V.
52marvin
save game file =/= mod
I edited the .ini myself for the dodge/crouch swap mod. Took all 60 seconds to do it. I put my money where my mouth is.
That's just as equally lame and a really petty excuse. you are just too lazy for browsing, downloading, unpacking, and moving the ini file.
Pathetic.
Well... that and license things out. Which considering how long it took to make good comic book movies? There is still hope for gaming movies to become associated with quality one day. (though by then the movie industry will likely be radically different in one fashion or other)
@driftscape You just described the comic bubble. And the housing bubble. And the South Seas Bubble. Or the Tulip Market (yes, this was a real thing). Really most bubble markets are like that until they go pop.
...What I'm saying is, you *may* want sell your gaming stocks sooner than later... but slowly, don't spook them. Panic selling is how the End always starts.
I should point out, *I'm not an expert*. A student of history, no more or less. Industries go through these life cycles all the time. Have at least as long as we've had the concept of a Corporation.
Though you are right, its not niche. People aren't buying video games for resale and never taking them out of the package. So maybe its closer to the time Hollywood as a whole nearly bankrupted itself back in the 60s?
Regardless, something-probably an avalanche of somethings is going to break at some point (probably soon?) and break badly enough that it changes the industries landscape.
I have a question and the preset that are editors of Cybercat saves
, can it also be vulnerable?
example
https://www.nexusmods.com/cyberpunk2077/mods/1082?tab=stats