A vulnerability has been discovered in the Unity game engine that has existed since 2017. The issue can be exploited for code execution on Android and for privilege escalation on Windows. Valve’s developers have already updated Steam, and Microsoft has updated Microsoft Defender and recommended that users uninstall vulnerable games until they receive patches.
Vulnerability
Unity is a cross-platform game engine and development platform that provides tools for rendering, physics, animation, and scripting to create games for Windows, macOS, Android, iOS, consoles, and the web. A huge number of mobile games, as well as many indie projects for PC and consoles, are built on Unity. In addition, the platform is used outside the gaming industry to create real-time 3D applications.
The Unity vulnerability has been assigned CVE-2025-59489 (8.4 on the CVSS scale) and affects the Runtime component. It enables unsafe loading and local file inclusion (LFI), which can ultimately lead to code execution and information disclosure.
The issue was discovered back in May of this year by a GMO Flatt Security specialist known as RyotaK. He says the bug affects all games built on the Unity engine starting with version 2017.1 and later.
In the technical report, RyotaK demonstrates that Unity’s handling of Android Intents allows any malicious app installed on the same device as a vulnerable game to load and execute a native library provided by the attacker. As a result, this enables arbitrary code execution with the privileges of the vulnerable game.
Although RyotaK explains that he initially discovered the issue on Android, the root cause of the vulnerability (Unity’s handling of the -xrsdk-pre-init-library command-line argument without proper validation and sanitization) is also present on Windows, macOS, and Linux. On these systems, there are various input vectors that can pass untrusted arguments or modify the library search paths for the target application, so exploitation under certain conditions is also possible on these OSes.
“The vulnerability allows local code execution and access to confidential information on end-user devices running applications built with Unity,” the Unity developers warn in their security bulletin. “Code execution will be limited to the privilege level of the vulnerable application, and information disclosure to the information available to the vulnerable application.”
It is emphasized that there is currently no evidence that this vulnerability has been exploited or that it has had any impact on users or customers.
Developers have already prepared patches, including for unsupported versions (starting with 2019.1 and later). Older versions, whose support ended long ago, will not receive fixes. The steps to remediate the issue include updating the Unity Editor to the latest version, followed by rebuilding and redeploying the application, as well as replacing the Unity runtime binary with the fixed version.
Reaction
Following RyotaK’s report, Valve released an update to the Steam client that blocks the launching of custom URI schemes to prevent exploitation of CVE-2025-59489. Valve also recommends that developers rebuild their games as soon as possible using a secure version of Unity or integrate a patched UnityPlayer.dll into existing builds.
Microsoft has also published its own security bulletin, recommending that users uninstall vulnerable games until updated versions are released in which CVE-2025-59489 is fixed. The company notes that popular games such as Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs are affected.
Obsidian representatives report that they were forced to temporarily remove some games and products from digital storefronts (including Grounded 2 Founders Edition, Avowed Premium Edition, Pillars of Eternity: Hero Edition, Pillars of Eternity II: Deadfire, and Pentiment) until the “necessary updates to address the issue” are released for them.
It is also known that updates have already been released for Marvel Snap, No Rest for the Wicked, Ingress, and Fate/Grand Order, and a patch for Persona 5: The Phantom X is already in development.