Redazione RHC : 7 October 2025 07:22
A vulnerability has been discovered in the Unity game engine, which has been present since 2017. The issue can be exploited for code execution on Android and privilege escalation on Windows .
Valve developers have already updated Steam, and Microsoft has updated Microsoft Defender, advising users to uninstall vulnerable games until they receive patches.
Unity is a cross-platform game engine and development platform that provides rendering, physics, animation, and scripting tools for creating games for Windows, macOS, Android, iOS, consoles, and the web . Unity powers a large number of mobile games, as well as numerous independent projects for PC and consoles. The platform is also used outside the gaming industry to create real-time 3D applications.
The vulnerability in Unity, identified as CVE-2025-59489 (CVSS score 8.4), affects the Runtime component. It allows insecure loading and local file inclusion (LFI), which could lead to code execution and information disclosure.
The issue was discovered in May of this year by a security specialist at GMO Flatt, who goes by the pseudonym RyotaK . RyotaK reports that the bug affects all Unity-based games, starting with version 2017.1 and later.
In a technical report , RyotaK demonstrates that Unity’s handling of Android intents allows any malicious app installed on the same device as a vulnerable game to download and execute a native library provided by the attacker . This leads to arbitrary code execution with the vulnerable game’s privileges.
The vulnerability allows “local code execution and access to sensitive information on end-user devices running Unity-based applications,” Unity developers warn in their security bulletin . “Code execution would be limited to the privilege level of the vulnerable application, and information disclosure would be limited to information accessible to the vulnerable application.”
Please note that there is currently no evidence that this vulnerability has been exploited or that it will impact users or customers.
The developers have already prepared patches, including for unsupported versions (starting with 2019.1). Older, long-unsupported versions will not receive fixes. Resolved steps include updating the Unity editor to the latest version, then rebuilding and redeploying the application, and replacing the Unity runtime binary with a patched version.
Following RyotaK’s report, Valve has released a Steam client update that blocks custom URI schemes to prevent exploitation of CVE-2025-59489. Valve also recommends that developers rebuild their games using a safe version of Unity as soon as possible or implement a patched version of UnityPlayer.dll into existing builds.
Microsoft also released its own security bulletin , recommending users to uninstall vulnerable games until updated versions are released that address CVE-2025-59489. The company notes that popular games affected by the vulnerability include Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs.
Obsidian representatives say they have been forced to temporarily remove certain games and products from digital stores ( including Grounded 2 Founders Edition, Avowed Premium Edition, Pillars of Eternity: Hero Edition, Pillars of Eternity II: Deadfire, and Pentiment ) until they receive “necessary updates to address the issue.”
Redazione