An Eight-Year-Old Vulnerability Discovered in the Unity Engine

A vulnerability that has existed since 2017 has been discovered in the Unity game engine. The flaw can be exploited to execute code on Android and perform privilege escalation on Windows systems.
Valve has already updated Steam, and Microsoft has issued an update for Microsoft Defender, advising users to delete vulnerable games until developers release patches.

The Vulnerability

Unity is a cross-platform game engine and development platform that provides tools for rendering, physics, animation, and scripting to create games for Windows, macOS, Android, iOS, consoles, and the web. A large portion of mobile games, as well as many indie projects for PC and consoles, are built on Unity. Beyond gaming, it is also used in other industries for real-time 3D applications.

The vulnerability, identified as CVE-2025-59489 with a CVSS score of 8.4, affects the Runtime component of Unity. It allows unsafe loading and Local File Inclusion (LFI), which can lead to code execution and information disclosure.

The issue was discovered in May 2025 by a researcher from GMO Flatt Security, known by the pseudonym RyotaK. According to his findings, the bug affects all Unity builds from version 2017.1 onward.

In his technical report, RyotaK demonstrated that Unity’s handling of Android Intents allows any malicious application installed on the same device as a vulnerable game to load and execute a native library supplied by the attacker. This results in arbitrary code execution with the same privileges as the vulnerable game.

While RyotaK initially discovered the flaw on Android, the root cause—Unity’s handling of the -xrsdk-pre-init-library command-line argument without proper validation or sanitization—also exists in Windows, macOS, and Linux. On these platforms, untrusted arguments or manipulated library search paths can serve as input vectors, making exploitation possible under certain conditions.

“The vulnerability allows for local code execution and access to sensitive information on end-user devices running applications built on Unity,” warned Unity developers in their security bulletin. “Code execution will be limited to the privilege level of the vulnerable application, and information disclosure will be limited to information accessible to that application.”

Unity emphasized that there are no indications of active exploitation or evidence that the vulnerability has impacted users or customers.

The company has released patches for supported versions, including some older releases starting from 2019.1. Versions that are long out of support will not receive fixes.
The recommended remediation steps include:

• Updating the Unity Editor to the latest version
• Rebuilding and redeploying the affected application
• Replacing the Unity runtime binary with the patched version

The Response

Following the publication of RyotaK’s report, Valve released an update for the Steam client that blocks the launch of custom URI schemes, preventing the exploitation of CVE-2025-59489.
Valve also advised developers to rebuild their games with a secure version of Unity or to integrate a patched UnityPlayer.dll into existing builds.

Microsoft issued its own security bulletin, recommending that users delete vulnerable games until patched versions become available. The company noted that popular titles such as Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs are affected.

Obsidian Entertainment announced that it had temporarily removed several titles from digital stores—including Grounded 2: Founders Edition, Avowed Premium Edition, Pillars of Eternity: Hero Edition, Pillars of Eternity II: Deadfire, and Pentiment—until updates addressing the issue are completed.

Meanwhile, patches have already been released for Marvel Snap, No Rest for the Wicked, Ingress, and Fate/Grand Order, while a fix for Persona 5: The Phantom X is currently in development.

Why It Matters

This case underscores how long-standing vulnerabilities in foundational engines can affect thousands of applications across platforms years after release. Unity’s widespread adoption means even a single flaw can ripple through the gaming ecosystem—from mobile titles to major studio releases—highlighting the importance of secure software design, validation, and timely patching across the entire development pipeline.