Particle.news

Download on the App Store

Microsoft and Steam Move to Contain Unity Runtime Flaw Affecting Thousands of Games

Platform enforcement reduces exploitation risk, prompting updates.

Overview

  • Valve shipped a Steam Client update that blocks game launches using Unity’s vulnerable command-line parameters and custom URI launch paths tied to CVE-2025-59489.
  • Microsoft added detection rules to Microsoft Defender, is identifying affected apps, and advised uninstalling vulnerable games until patches arrive, naming titles such as Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs.
  • Unity published fixes and guidance for all builds from 2017.1 onward across Windows, macOS, Android, and Linux, offering two remediation paths: rebuild with patched editors or replace the UnityPlayer.dll runtime.
  • The flaw (CVSS 8.4) stems from unvalidated command-line handling that can load attacker-supplied native libraries, with Unity warning that Windows faces higher risk where custom URI handlers are present.
  • Researcher RyotaK demonstrated a practical Android intent-based local attack, but Unity says it has seen no evidence of in-the-wild exploitation to date.