Unity Discloses Major Exploit Impacting Multiple Versions

This week Unity disclosed a major security vulnerability which has existed for at least eight years across multiple versions of the Unity engine.

We've broken out this relatively small story for its own article as we believe it's important for this news to be shared widely due to the widespread use of the game engine.

The vulnerability, assigned as CVE-2025-59489, allows potential arbitrary code execution and data exfiltration on machines running games published with vulnerable version of the editor across multiple platforms.

Unity has released fixes for all supported versions as well as a number of out-of-support versions as far back as 2019.1.

The vulnerability is a particularly noteworthy one due to ubiquity of Unity as a game engine choice, especially for indie developers.

A number of games, including Cities: Skylines II, Derail Valley, Against the Storm and countless others have already released patches addressing the vulnerability, but there remain countless other unpatched games still available.

Obsidian Entertainment even took the step of removing a number of their games from sale while they worked to correct the issue. All games are now available again.

The good news for gamers is that there doesn't appear to be any instances of this vulnerability being exploited in the wild. Regardless, it doesn't hurt to be cautious around the use of games that haven't yet been updated with the security fix.