In brief: There’s always some inherent risk when you download mods for your games, but that risk usually comes in the form of potential save corruption or game-breaking bugs. However, for Cyberpunk 2077, an as-of-yet unfixed “external DLL” vulnerability is leaving mod-equipped players open to actual system security risks.
A Redditor named Romulus_Is_Here brought the gaming community’s attention to the vulnerability in question on Sunday, and CD Projekt Red confirmed the risks in a Twitter post today.
So, what exactly is going on? According to the Redditor, “external DLL files” required by Cyberpunk 2077 can be maliciously used to execute code and take remote control of a PC through the installation of a save game or mod.
As we said, this has already been confirmed by CD Projekt Red, as you can see in the embedded tweet below. The studio advises users to “refrain from using files from unknown sources” until an official fix can be issued.
If you plan to use @CyberpunkGame mods/custom saves on PC, use caution. We’ve been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs. Issue will be fixed ASAP. For now, please refrain from using files from unknown sources.
— CD PROJEKT RED CS (@CDPRED_Support) February 2, 2021
CDPR says that fix is coming “ASAP,” but has not provided us with a specific timeline yet. If you’re an avid Cyberpunk 2077 player and mod user, we’d recommend playing the game unmodded for a while. Alternatively, you can download the latest version of Cyber Engine Tweaks, a well-known mod that supposedly includes a fix for this vulnerability (among other helpful improvements).
The mod’s source files are viewable on GitHub, so you can confirm for yourself that it doesn’t include any malicious code.
Hopefully, CDPR will be able to fix this problem sooner rather than later. Cyberpunk 2077’s modding scene is only going to get bigger over the coming months, and the last thing users should have to worry about is getting their machine hacked because they downloaded a seemingly-harmless save game.