Unity patches 8-year-old security flaw affecting thousands of games

[Alfonso Maruccia]

In context: Since its debut in 2005, Unity has become a fixture of modern game development, powering everything from Cuphead and Hollow Knight to Monument Valley and Genshin Impact. But a newly disclosed vulnerability highlights how the same engine that democratized game creation can also quietly expose developers and players to long-standing security risks.

In June, security researchers discovered a potentially dangerous vulnerability in Unity-made games that has been unpatched for years. Unity Technologies has recently released patches and repair tools to address the flaw, though a complete fix for all affected games remains unlikely.

Security firm RyotaK discovered the vulnerability in games built with Unity 2017.1 and later, meaning it went unnoticed for at least eight years. Unity explains that unsafe file loading and file inclusion attacks can compromise applications on these releases, with severity depending on the operating system.

Left unchecked, cybercriminals could exploit the flaw to run malicious code or access sensitive information on local machines. The bug (CVE-2025-59489) has a CVSS severity score of 8.4 out of 10. Most operating systems are vulnerable to an elevation-of-privilege issue, while Android apps could allow malicious code execution.

Unity warns that any code execution or data access would be limited to the same privilege level as the vulnerable application, at least in theory. After being informed of the flaw months ago, the company found no evidence of exploitation by third parties. So far, no users or customers appear to be affected by the security flaw.

Unity has already fixed the security flaw in the engine's current versions, meaning developers working on newer games should be safe. For older titles, the situation is more complicated. Unity urges developers and companies to update the engine and "rebuild" their games, then deliver them to gamers and end users.

Unity also released a dedicated patching tool along with a comprehensive remediation guide. The vulnerability exists in the engine's runtime, and the patcher requires internet connectivity for Windows or macOS builds. The tool is intended for game developers only, so regular players or end users cannot use it.

In a worst-case scenario, applying the patch could break a Unity game entirely. Unity recommends that studios thoroughly test their games after updating. Applications protected by anti-tampering or anti-cheat solutions remain incompatible with the patcher.

Permalink to story:

Unity patches 8-year-old security flaw affecting thousands of games

 

[Aus spot]

Couple of days late with the news.

Obviously most games and old and out of patch updates etc. but it doesn’t look like a major issue particularly if you use a 3rd party launcher like steam.

More an issue on android.

 

[DrSuess]

"Games have to be "rebuilt" on the patched engine rather than just pushing a fix out to end users", how likely is that to happen?

 

[Hellbishop]

"Games have to be "rebuilt" on the patched engine rather than just pushing a fix out to end users", how likely is that to happen?

Plenty of Devs have already updated their games since Friday and today it was a consistent flow of updates to many of them in my library of two thousand plus games.

I was able to to use the UNITY tool to update BATTLETECH by HBS myself with no issues thanks to some great easy to understand instructions by a fellow STEAM member by the name of Jaime Wolf who has worked on many hardcore mods for BATTLETECH like RogueTech and Advanced Battletech along with creating a save editor mod for the game. Here are the quoted instructions:

" Jamie Wolf 2 hours ago 

Originally posted by PaperSpace:
BattleTech was a recent purchase and really enjoying the game so far. However, I am also quite concerned about the game potentially not getting this security patch.

@JamieWolf: You said you manually patched the files on a GoG version? Was it a simple process?

It's pretty easy, download the tool here: https://discussions.unity.com/t/cve-2025-59489-patcher-tool/1688032

Unzip and run the tool.

On the left side select windows (it defaults to android)

Then select the BT install's Unity player.dll file in the tool and run the patcher. Then you should be good. "

 

[gamerk2]

"Games have to be "rebuilt" on the patched engine rather than just pushing a fix out to end users", how likely is that to happen?

In theory, it should be as simple as replacing the affected .dll(s) and rebuilding the game. I highly doubt an engine-level fix is going to cause any significant differences in how the code executes. You do need to do a minimum amount of verification testing to confirm nothing is amiss, but I'd imaging most titles get patched in short order.

 

[DrSuess]

In theory, it should be as simple as replacing the affected .dll(s) and rebuilding the game. I highly doubt an engine-level fix is going to cause any significant differences in how the code executes. You do need to do a minimum amount of verification testing to confirm nothing is amiss, but I'd imaging most titles get patched in short order.

The article say it requires the app to be rebuilt with the new library, a replacement of dlls was insufficient to fix the problem. This is why I made the comment I did.

 

[gamerk2]

The article say it requires the app to be rebuilt with the new library, a replacement of dlls was insufficient to fix the problem. This is why I made the comment I did.

I meant on the developers side; on their end they should just need to take the updated .dlls provided and rebuild the application against them. So yes, they need to go through the effort of making/releasing a new build, but it should be relatively painless.