Important things first: If you are playing on Wiimmfi, either using automatic DNS, the Wiimmfi DNS (95.217.77.151 or 95.217.77.181), the RiiConnect24 DNS (164.132.44.106) or other trustworthy DNS servers like the ones from Google, this message does NOT apply to you.
It only applies if you play on an AltWFC clone, or if you are using untrustworthy DNS servers or networks.

TL;DR at the bottom.

The Wii (and WiiU) is a relatively old console (14 years Wii, 8 years WiiU), and both of them haven't been receiving security updates from Nintendo in a long time. While that is a good thing when you are trying to mod / homebrew your own console or play online on Wiimmfi (easy access through the license agreement), it also means that more and more security issues are found in the console(s) and/or the games that can be abused.

In 2018, we noticed that there was a critical bug in Mario Kart Wii which could, in theory, be abused to run cheat codes / executable code on *other* consoles, just by being in the same Mario Kart Wii race as them. Obviously, that's a bad thing, because it would allow hackers / cheaters to brick your Wii if they wanted to. This critical bug was the main reason why we introduced new Wiimmfi patchers back then which fixed this bug. This means, when you play on Wiimmfi this bug cannot be abused and is no risk to your console anymore.

Also, in 2018, Fullmetal5 created the "str2hax" exploit, which is what is used to load the Wiimmfi patcher from the Wii End User License Agreement to let you play on Wiimmfi without homebrew. This works by abusing the License Agreement display, by sending executable code to the console instead of an HTML page. We (on the Wiimmfi server) are using that to send a Wiimmfi patcher to the console and autostart it, but a malicious attacker (if you were using a malicious DNS Sserver) could theoretically send bricking codes instead of a Wiimmfi patcher.

In addition to these two main bugs there have been a couple smaller ones as well, that could in theory be abused for similar things. All of them have been patched on Wiimmfi as well.
_____________________________________________________________________________

Until very recently, the bug that we've fixed with the new Wiimmfi patchers wasn't widely known. The codes needed to abuse that bug weren't public, and only a few people (MrBean (who first found the security issue), Chadderz, Wiimm and me; plus Star, a hacker who later found the security issue as well) knew how exactly the bug worked. We didn't want to make it widely known how it worked.

However, Star (sadly) decided to make his exploit code public, which means, that on unpatched servers (ANY non-Wiimmfi server) a malicious attacker could now brick your Wii just by being in the same Mario Kart Wii room as you; and the operators of that server could brick your console when you connect to their server. Similarly, if you use a malicious DNS server provided to you by an attacker, he could brick your Wii when you try to view the License Agreement.

Now what I'm saying does not mean that connecting to an AltWFC server will instantly brick your console. However, if the operator of that server would decide to do that, for whatever reason, they *could* absolutely do that. Similarly for playing on an AltWFC server. This announcement doesn't mean that your Wii will instantly be bricked when you play a race on AltWFC - but in theory, every player in your race would have the theoretical opportunity to do so.

• If you are playing on Wiimmfi, on a trustworthy network, with a trustworthy DNS server (Wiimmfi or RiiConnect24, or "standard" ones like Google), you are safe.
  
• If you are using a malicious DNS server operated by an attacker (or if the attacker controls your network), that attacker could brick your console when you view the EULA, visit a web page in the Internet Channel, or try to connect to an AltWFC-based server.
  
• If you are playing Mario Kart Wii on an AltWFC-based server, any player in your race could theoretically brick your console if they wanted to. This does NOT apply to Wiimmfi!
  

We are strongly recommending the use of Wiimmfi instead of any other AltWFC-based server for Wii online gameplay, and we also recommend sticking to well-known DNS servers (like Wiimmfi (95.217.77.151 or 95.217.77.181), RiiConnect24 (164.132.44.106), or public DNS servers like Google). Otherwise, there is a risk of getting your Wii bricked.

Yeah, that's why that risk is mentioned as well.

But I'd imagine that getting people to enter a malicious DNS server would still get you less "victims" than going on an AltWFC clone and just leave your console running for a while. We are just announcing that there is this theoretical risk, so nobody can say afterwards "why has nobody warned me".

Never underestimate the amount of time that cheaters or hackers put into inconveniencing other players...

@FancyDolphin Nope. A cheat code to brick your own Wii has existed publicly for quite some time. And now there also is public source code on how to abuse this exploit to run codes on another player's console (on servers other than Wiimmfi). It's not plug-and-play, but a malicious person / hacker or anyone who has ever made any kind of cheat code will probably be able to put 2 and 2 together and get a code to brick other players consoles; that's why I made that announcement - so people are aware that playing on AltWFC servers is dangerous.

@Varon Yeah, it is unlikely, but not that unlikely. There's a bunch of cheaters that annoy other players or even freeze their consoles, it's not that far off that one of them would also try to brick Wiis. It's still your decision, if you want to you can play on AltWFC all you want; I'm just warning people that that *can* happen.

It is highly unlikely that attackers will be able to "escape" the Dolphin Emulator and run malicious code on your computer with this exploit. That would require another bug in Dolphin (not in the game) that would allow you to break out of the emulated machine onto the host.

@Varon I believe that MrBean has already said almost everything there is to say about this topic, but just a quick addition: You did notice that a couple posts above yours a patch was posted for the RCE vulnerability? That fix is not identical to the one on Wiimmfi, but it'll have the same effect.

@Gamebuster Yes, theoretically if an attacker were able to obtain that IP address, he'd be able to host malicious stuff on that server, which could then run malicious code on consoles when the License Agreement is opened. However, there is no way to ask the hoster for that specific IP address, so the only people who would be able to abuse that would be the one random person who currently rents the server with that particular IP; or maybe employees of Hetzner (the company which operates the data centers where Wiimmfi is hosted).

@Zak Yes, using the Wiimmfi option in an USB Loader is safe, same as any other Wiimmfi patchers.