Overview
- Valve shipped a Steam Client update that blocks game launches using Unity’s vulnerable command-line parameters and custom URI launch paths tied to CVE-2025-59489.
- Microsoft added detection rules to Microsoft Defender, is identifying affected apps, and advised uninstalling vulnerable games until patches arrive, naming titles such as Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs.
- Unity published fixes and guidance for all builds from 2017.1 onward across Windows, macOS, Android, and Linux, offering two remediation paths: rebuild with patched editors or replace the UnityPlayer.dll runtime.
- The flaw (CVSS 8.4) stems from unvalidated command-line handling that can load attacker-supplied native libraries, with Unity warning that Windows faces higher risk where custom URI handlers are present.
- Researcher RyotaK demonstrated a practical Android intent-based local attack, but Unity says it has seen no evidence of in-the-wild exploitation to date.