Cyberpunk 2077's security vulnerability is now fixed

(Image credit: CD Projekt)

Update: CD Projekt says the security flaw should now be fixed, thanks to the new 1.12 hotfix.

CD Projekt Red is warning Cyberpunk 2077 players to be cautious when using mods, as a recently discovered vulnerability in a DLL file could be used to execute code on PCs and PlayStation 4 consoles running the game.

The issue came to light over the weekend thanks to Red Tools mod team member PixelRickyRick and redditor Romulus_Is_Here, who explained that "through the use of a mod or a crafted save game, malicious codes can be executed to take control of the PC by the creator of the save game/mod." The exploit was initially thought to be limited to the PC version of the game, but PixelRickyRick later confirmed that the PS4 version is vulnerable as well.

CD Projekt was made aware of the vulnerability a week ago, according to the post, but only acknowledged it today.

"A group of community members reached out to us to bring up an issue with the external DLL files the game uses," the studio said in a statement sent to Eurogamer. "This issue can be potentially used as part of a remote code execution on PCs. We appreciate their input and are working on fixing this as soon as possible. In the meantime, we advise everyone to refrain from using files obtained from unknown sources. Anyone who plans to use mods or custom saves for Cyberpunk 2077 should use caution until we release the aforementioned fix."

If you don't want to wait for that, the latest update to the Cyber Engine Tweaks mod, which includes "performance fixes, bug fixes, and fun hacks to play with," also addresses the vulnerability. I've reached out to CD Projekt to ask if there's a time frame for the official fix, and will update if I receive a reply.

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.