Unity is a fairly popular game engine that enables developers to make games that run across multiple platforms including, Windows, macOS, Linux, PlayStation, Xbox, Switch, and much more. Its most recent version, Unity 6, was made available last year. However, Unity Technologies has now disclosed a particularly severe security vulnerability, urging developers to apply patches as soon as possible.
A public advisory from Unity"s Larry "Major Nelson" Hryb indicates that Unity versions from 2017 and later have a security issue that allows remote code execution (RCE). Basically, an attacker can utilize the vulnerable version of Unity Runtime to execute malicious code on the machine of the user and gain access to their data.
The security vulnerability is present in Unity 2017.1 and later, and impacts games made for Windows, Android, macOS, and Linux. Unity says that it has worked with distribution partners like the Microsoft Store and Valve"s Steam to proactively issue patches, and there is no evidence that the bug was being exploited.
Projects that are in active development are required to be compiled through the latest patched version of the Unity Editor. Meanwhile, games that have already been published should be recompiled and republished using the new version, which can be a major hassle for developers who don"t update their old games anymore. To work around this problem, Unity has also released a patching tool that does not require a full recompile, but this patcher does not work for games which leverage anti-cheat solutions.
Windows Defender has been updated to provide protection against this vulnerability and anti-malware systems in Android have been enhanced too. Additionally, Valve is also issuing security updates for Steam.
You can find more details about the vulnerability in its public CVE-2025-59489 disclosure here. Keep in mind that if you don"t patch your impacted game, there is a possibility that it could be pulled from storefronts, depending upon their policies. Some platforms like consoles and iOS appear to be unaffected, but Unity has recommended developers there to utilize the latest available version of the Unity Editor anyway too. Unity says that it"s okay for developers to inform customers about this vulnerability, along with assurances that there is no evidence of exploitation and that patches are readily available.