A major vulnerability in the Unity game engine has triggered emergency updates from Microsoft and Steam, affecting millions of gamers worldwide.
Quick Summary – TLDR:
- A security flaw (CVE-2025-59489) in Unity could allow code execution and data leaks across Android, Windows, macOS, and Linux platforms
- Microsoft and Valve issued urgent guidance and updates to protect users and developers
- Popular games like Hearthstone, Fallout Shelter, and Wasteland 3 are among those affected
- Developers are urged to update Unity Editor versions or patch their runtime libraries
What Happened?
A high-severity flaw in the Unity game engine allows attackers to exploit how Unity handles command-line arguments. This vulnerability, rated 8.4 on the CVSS scale, can enable attackers to load malicious libraries and execute arbitrary code, compromising the integrity of apps and games built using Unity.
The flaw, discovered by security researcher RyotaK from GMO Flatt Security, affects Unity versions dating back to 2017.1. It has raised concerns across the gaming industry, with Microsoft and Valve taking proactive measures to minimize the risks.
I reported an arbitrary code execution in Unity Runtime, which affects all versions starting from Unity 2017.1.
— RyotaK (@ryotkak) October 3, 2025
As the vulnerability can be exploited without specific usage, I strongly encourage developers to patch.
Technical details below:https://t.co/af3d28rXw3
The CVE-2025-59489 Vulnerability Explained
The flaw stems from Unity’s support for application debugging, particularly how it processes Android Intents and command-line arguments. Here’s what makes it dangerous:
- Android devices are vulnerable to local attacks where a malicious app can trick Unity apps into loading unsafe native libraries.
- On Windows, if a Unity-based application uses a custom URI scheme, it could be exploited remotely to trigger unsafe behavior.
- macOS and Linux are also at risk due to similar argument-handling weaknesses in Unity’s runtime.
Unity confirmed the vulnerability allows attackers to access sensitive data and execute code with the same privileges as the affected app. However, no active exploitation has been detected as of yet.
What Are Microsoft and Valve Doing?
Microsoft is assessing its ecosystem to identify potentially vulnerable games and applications. It advised users to uninstall affected software until updates become available and confirmed it has added detection rules to Microsoft Defender.
Meanwhile, Valve took swift action through a Steam Client update, which now blocks games attempting to launch with certain dangerous command-line arguments tied to the Unity flaw. Valve also urged developers to rebuild their games with a safe Unity version or insert a patched UnityPlayer.dll file.
Both companies are pressing developers to act immediately to avoid potential exploits.
Unity’s Response and Developer Guidance
Unity has rolled out patches in several recent and legacy branches:
- Updated Unity Editor versions include 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2.
- Patches have also been pushed to out-of-support versions starting from 2019.1.
- Older unsupported versions will not receive updates.
Developers are strongly encouraged to:
- Upgrade to the latest Unity Editor version.
- Rebuild and redeploy affected applications.
- If rebuilding isn’t possible, manually replace the Unity runtime with a patched
UnityPlayer.dllfile.
Unity highlighted that exploitation is still restricted to the privileges of the vulnerable application, limiting potential system-wide damage. Still, given how widespread Unity’s use is in the gaming world, the threat remains significant.
Games Confirmed as Affected
Microsoft listed several major titles impacted by the flaw, including:
- Hearthstone
- The Elder Scrolls: Blades
- Fallout Shelter
- DOOM (2019)
- Wasteland 3
- Forza Customs
These games may be temporarily unsafe if still running outdated versions. Users are urged to check for updates or uninstall until official patches are applied.
SQ Magazine Takeaway
Honestly, this is one of those vulnerabilities that hits deep because Unity is everywhere. Whether you’re on a mobile game or a PC title, chances are it’s built with Unity. The fact that attackers could sneak in code just by abusing a launch argument or Android Intent is scary. I appreciate that Microsoft and Valve acted quickly, but it’s up to developers now to push those fixes fast. If you’re a gamer, keep your apps updated. If you’re a dev, don’t sit on this. This is the kind of bug that bad actors dream of.
