A cybersecurity researcher has discovered a high-severity vulnerability in Unity, one of the world’s most popular game development tools
According to Unity’s website, 70% of the top thousand mobile games are built with their engine. This includes titles such as Pokémon GO, Among Us, Hollow Knight, as well as Ori and the Blind Forest.
Tracked as CVE-2025-59489 and with a CVSS score of 8.4, the flaw affects all apps built using impacted versions of the Unity Gaming Editor, enabling attackers to control the command-line arguments passed to these applications and execute arbitrary code. By hijacking the permissions granted to Unity games, attackers could remotely access confidential information on end-user devices running these apps.
However, Unity advises that code execution would be “confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.”
As of yet, there has not yet been any evidence of exploitation in the wild, but the risk of exploitation remains high due to the company’s footprint in the game development industry.
RyotaK, the security engineer behind the discovery, disclosed their findings to Unity, who have now released patches for the issue.
In a statement, RyotaK said: “We appreciate Unity’s commitment to addressing this issue promptly and their ongoing efforts to enhance the security of their platform. Security vulnerabilities are an inherent challenge in software development, and by working together as a community, we can continue to make software systems safer for everyone.”
Microsoft is urging gamers to temporarily uninstall vulnerable Microsoft apps and games until developers release updated versions. While RyotaK initially discovered the vulnerability on Android, Microsoft reports that it also affects Windows, Linux (desktop and embedded), and MacOS systems but doesn’t seem to be exploitable on iOS, Xbox, or HoloLens.
Video game developer and distributor Valve has also implemented measures to protect customers using its Steam platform, with Steam announcing that it will block attempts to launch any games that could potentially be malicious as outlined in Unity’s report.
“Valve has released a new Steam Client update to all users. The update blocks launching a game through the Steam Client custom URI scheme (steam://) or an OS shortcut if any of the four command line parameters listed in the Unity report are present in the launch request,” the company said.
In an interview with Cointelegraph, a Google spokesperson said that Google Play is also aware of the vulnerability and will “support helping developers release patched versions of their apps as quickly as possible.”
“Based on our current detections, malicious apps exploiting this vulnerability are not found on Play,” the spokesperson added.
Remediation Guidance
Developers should urgently update any apps or games created using the Unity Gaming Editor (version 2017.1 or later). If a game is under active development, developers can use a new, updated version of the Unity Editor to rebuild it. Once updated versions have been created, developers should distribute them to all users.
Gamers should follow guidance from Unity or their platform providers to check whether any of the applications they use are affected, and install and required updates. Those using Microsoft-owned games and apps can check whether they are affected by the vulnerability by referring to Microsoft’s Security Updates Table.
For individuals with automatic updates enables, fixes will be deployed without further action. Those without automatic updates enables should check whether any of their downloaded apps or games have any updates available and install the latest updates as soon as possible.
Additionally, Unity has urged consumers to maintain current antivirus software and avoid any suspicious downloads.
Read More
