This House is Haunted: a decade-old RCE in the AION client

Exploring how AION’s old housing system, introduced over 10 years ago, left the client vulnerable to remote code execution through Lua scripting. Even though official servers removed the feature years ago, it’s still alive (and exploitable) in legacy versions. Write-up: https://appsec.space/posts/aion-housing-exploit/