Unity have simply reported a significant safety exploit vulnerability affecting most platforms and all variations of Unity going again to Unity 2017 all the best way as much as the latest Unity 6.x releases. This exploit targets video games and functions created utilizing Unity, not the Unity editor itself. The exploit, demonstrated on Android, permits malicious actors to take advantage of a safety flaw to run arbitrary code. Within the Unity Hub, all variations of the Unity editor 2019 and up have an replace out there that fixes that safety vulnerability. Earlier at present Unity despatched out the next e mail:
An essential message
A safety vulnerability was recognized that impacts video games and functions constructed on Unity variations 2017.1 and later for Android, Home windows, Linux, and macOS working methods. There isn’t any proof of any exploitation of the vulnerability, nor has there been any influence on customers or clients. We’ve proactively offered fixes that handle the vulnerability, and they’re already out there to all builders. The vulnerability was responsibly reported by the safety researcher RyotaK, and we thank him for working with us.
Key Details:
- There isn’t any proof of any exploitation of the vulnerability nor has there been any influence on customers or clients.
- Unity has labored in shut collaboration with our platform companions who’ve taken additional steps to safe their platforms and defend finish customers.
- Launched video games or functions utilizing Unity 2017.1 or later for Home windows, Android, macOS, or Linux might comprise this vulnerability.
- Unity has launched an replace for every of the main and minor variations of the Unity Editor beginning with Unity 2019.1.
- Unity has launched a binary patcher to patch already-built functions relationship again to 2017.1.
What Actions Ought to You Take?
It is advisable to take motion you probably have developed and launched a sport or software utilizing Unity 2017.1 or later for Home windows, Android, or macOS. It’s crucial that you just assessment the next steerage to make sure the continued security of your customers.
- In case your mission remains to be in energetic improvement:
- Obtain the patched replace to your model of the Unity Editor, out there by way of Unity Hub or the Unity Obtain Archive, earlier than constructing and publishing. This may be sure that your releases are absolutely protected.
- Video games and functions already constructed:
- We strongly suggest you obtain the patched replace to your model of the Unity Editor, recompile, and republish your software.
- We’ve offered a software to patch already-built functions relationship again to 2017.1 for Android, Home windows, and macOS for builders preferring to not rebuild their initiatives. The software may be accessed right here.
- For Android or Home windows Functions, some further protections are being put in place:
- In case your Android software is distributed by way of Google Play, different third-party Android App shops, or direct obtain: As a further layer of protection, Android’s built-in malware scanning and different security measures will assist scale back dangers to customers posed by this vulnerability. This doesn’t exchange the time important want to use the patch replace for affected apps. (These protections don’t apply to AOSP-based platforms unaffiliated with Google.)
- In case your software targets Home windows: For Home windows-based functions, Microsoft Defender has been up to date and can detect and block the vulnerability. Valve will concern further protections for the Steam consumer.
- In case your software employs tamper-proofing or anti-cheat options:
- You will have to rebuild your mission with the patched replace to your model of the Unity Editor and redeploy to keep up these protections. Patching your current software isn’t doable as a result of it is going to journey the tamper safety.
Extra Platforms:
- For Horizon OS: Meta gadgets have carried out mitigations in order that susceptible Unity apps working on Horizon OS can’t be exploited.
- For Linux: The vulnerability presents a a lot decrease threat on Linux in comparison with Android, Home windows, and macOS.
- For all different Unity-supported platforms, together with iOS, there have been no findings to counsel that the vulnerability is exploitable.
- For one of the best safety, we at all times suggest you might be on the newest patch launch of the model of Unity you might be utilizing.
Shopper Steering:
- There isn’t any proof of any exploitation of the vulnerability nor has there been any influence on customers or clients.
- Advise your customers to maintain their gadgets and functions up to date, allow computerized updates, and preserve present antivirus software program.
- Encourage safety greatest practices, together with avoiding suspicious downloads and routinely updating all software program.
Our Dedication: Unity is devoted to the safety and integrity of our platform, our clients, and the broader group. Clear communication is central to this dedication, and we’ll proceed to supply updates as obligatory.
For complete technical particulars, please seek the advice of our patching software and remediation information, Safety Advisory, and CVE-2025-59489. You probably have any questions, be part of us in Discussions or in case you want further help you may open up a ticket at help.unity.com.
Please additionally seek the advice of our FAQ.
Your proactive consideration to this matter is important to guard your customers and help you uphold the best requirements of safety.
Key Hyperlinks
CVE-2025-59489: Arbitrary Code Execution in Unity
You possibly can study extra in regards to the Unity safety exploit and the acts taken to mitigate it within the video under.