A code execution vulnerability in the Unity game engine could be exploited to achieve code execution on Android and privilege escalation on Windows.
Unity is a cross-platform game engine and development platform that provides rendering, physics, animation, and scripting tools for developers to create titles for Windows, macOS, Android, iOS, consoles, and the web.
A large number of mobile games are built with Unity, as well as indie and mid-tier PC/console titles. The platform is also used in non-gaming industries for real-time 3D applications.
Valve and Microsoft warn users
In response to the risk, Steam has taken action by releasing a new Client update that blocks the launching of custom URI schemes to prevent exploitation through its distribution platform.
At the same time, Valve recommends that publishers rebuild their games using a safe Unity version, or plug a patched version of the ‘UnityPlayer.dll’ file right into their existing builds.
Microsoft has also published a bulletin to warn about the issue, recommending users to uninstall vulnerable games are uninstalled until new versions that address CVE-2025-59489 become available.
The company said that popular game titles are vulnerable, including Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs.
Unity recommends developers to update the editor to the latest version branch and then recompile and redeploy their games or applications.
Patch extended to some unsupported versions
... continue reading