Several of the first-party games from Nintendo on 3DS, Wii U, and Switch are vulnerable to an exploit that allows remote code execution.
This was one of the reasons Nintendo decided to release a patch for Mario Kart 7 recently despite it being a decade-old game that launched for the Nintendo 3DS.
This exploit allows any hacker to execute a remote code on the target system i.e 3DS, Wii U, or Switch.
All they need to do is to start an online match with the target machine.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games.
It allows remote code execution in a victim console by just having an online game session with an attacker.
Here is a list of the games that have been discovered to be vulnerable to this exploit. »