Like any other electronic device, the gaming machines by Nintendo, be it the Switch or the older, now defunct ones like the 3DS and Wii U, can be hacked. That is, after all, the whole idea behind homebrews. But certain games on these devices have had severe vulnerabilities in them that could have allowed hackers to take control of them, like they would a hacked PC. The vulnerability was dubbed ENLBufferPwn, and was patched from affected games throughout the year.
This vulnerability appears to have quite the sporadic distribution, affecting games as old as Mario Kart 7, and as recent as Nintendo Switch Sports. Especially notable was the former, which got its first patch in 10 years. Also, these are all first-party titles made by Nintendo itself. As mentioned above, the vulnerability also affects at least three different devices, namely the Switch, 3DS and Wii U.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
— PabloMK7 (@Pablomf6) December 24, 2022
One of the white hat hackers who discovered the exploit, who goes by @Pablomf6 on Twitter, has a thread explaining the way it works, as well as a link to the report on GitHub. The first post even comes with a video demonstration featuring the Nintendo 3DS. To put it simply, a hacker trying to make use of the vulnerability can combine this with other OS exploits to fully take over your console. And from there, they can proceed to steal sensitive information or take recordings. All this can be done just by having a victim be in the same gaming session as the cybercriminal.
Beyond the two games mentioned above, other games that were previously affected by the vulnerability and got fixed by Nintendo include Mario Kart 8 Animal Crossing: New Horizons, Splatoon 2 and 3, as well as Super Mario Maker 2. Though as Nintendo Everything notes, the Wii U versions of the affected games have not been patched, and it’s unclear if any are being worked on.