Tech

Unity Patches 8-Year-Old Security Flaw Impacting Games Across Multiple Platforms

TIG SEA3 weeks ago

118 2 minutes read

Unity Fixes Critical 8-Year-Old Vulnerability Affecting Major Platforms

Unity has officially patched a severe security vulnerability (CVE-2025-59489) that had quietly existed in its engine since version 2017.1. The flaw, which exposed projects to unsafe file loading and local file inclusion attacks, could have led to remote code execution, sensitive data exposure, or privilege escalation on affected applications. Discovered by RyotaK of GMO Flatt Security Inc. on June 4, 2025, the vulnerability was addressed with a patch released on October 2, 2025, with no known real-world exploitation reported so far.

Larry Hryb, also known as Major Nelson from Unity’s team, urged all developers using vulnerable versions to immediately update to the latest Unity Editor and recompile their projects before re-uploading. As an alternative, they can use the Unity Binary Patch tool to replace runtime libraries without a full rebuild. Even older, unsupported versions from 2017.1 to 2019.1 are now covered by an extended patch to minimize potential risks.

A security vulnerability affecting our games that use Unity has recently been identified.

As a precaution and to keep you safe, we have temporarily removed the following titles and products from digital storefronts while we implement the necessary updates to address the issue:…
— Obsidian (@Obsidian) October 3, 2025

Unity’s major platform partners acted swiftly to protect users. Valve integrated the patch into the latest Steam update, Microsoft enhanced Windows Defender to detect and block related threats, Google’s malware scanning in Android automatically mitigates potential exploits, and Meta implemented its own platform-level protections. These measures aim to shield players and users even before developers update their games.

The vulnerability does not affect platforms like iOS, visionOS, tvOS, Xbox, Nintendo Switch, PlayStation, UWP, Quest, or WebGL due to different runtime behaviors. Unity clarified that the exploit risk is limited to local access and cannot be triggered remotely. Still, developers are strongly advised to update immediately, especially considering that over 70% of top mobile games are built on Unity.

The impact on the gaming industry was immediate. Obsidian Entertainment temporarily removed titles such as Grounded, Avowed, and Pillars of Eternity from Steam while applying the fix before relaunching them. Other studios, like those behind No Rest for the Wicked, have already pushed updates, reassuring players that their save data remains safe. The result was a surge of patches and game updates across Steam over the weekend.

This incident underscores the critical importance of regular security audits, even for long-standing software. While no active attacks have been detected, the discovery highlights how vulnerabilities hidden for years can pose widespread risks across the gaming ecosystem.