Overview
- Unity’s CVE-2025-59489 (CVSS 8.4) stems from unsafe command-line and intent handling present since version 2017.1 across Android, Windows, macOS, and Linux.
- Valve’s updated Steam Client now blocks launches that include vulnerable Unity debug parameters, and it directs publishers to submit updates using safe engine versions or patched runtime files.
- Microsoft added Defender detection rules, advised users to temporarily uninstall impacted games, cited examples like Hearthstone and Fallout Shelter, and noted Xbox builds are not affected.
- Research shows exploitation can be triggered via Android intents or unvalidated parameters such as -xrsdk-pre-init-library, with elevated Windows risk where custom URI handlers are registered; any code runs with the game’s privileges.
- Unity provides two remediation paths—rebuild with patched Editors or replace UnityPlayer runtime binaries—with a patcher tool available, though some Linux and tamper-protected builds are not covered; no in-the-wild exploitation has been reported.