Microsoft and Valve issue warning to gamers about Unity vulnerability

Both Microsoft and Valve have issued warnings about flaws in the Unity engine that could expose gamers to attack. A new version of Steam has been released to plug the security hole as well.

Tracked as CVE-2025-59489, the Unity Gaming Engine Editor vulnerability has a severity rating of 8.4. The nature of Unity is such that the flaw affects multiple platforms – Windows, Linux, macOS and Android. There is good news for some, however; Xbox consoles, Xbox Cloud Gaming, iOS and HoloLens all remain unaffected.

Steam issued the following notice to game developers: “Earlier today, Unity announced that applications made with Unity 2017.1 or newer contain a vulnerability that could allow an attacker to remotely target a user's machine. You can read the full report on Unity's website. The issue has been filed under CVE-2025-59489.”

The company continues:

As a response, Valve has released a new Steam Client update to all users. The update blocks launching a game through the Steam Client custom URI scheme (steam://) or an OS shortcut if any of the four command line parameters listed in the Unity report are present in the launch request. If a launch request does not contain one of the four listed command line parameters, the Steam Client will continue its previous behavior of displaying a warning dialog that users must accept before a game is launched.

Please refer to the Unity remediation guide, especially if your game registers a protocol handler (custom URI scheme) or external launch method, to determine if your game is affected by this issue and needs to be updated.

Updating Your Game 

Unity has provided two paths to update games affected by this issue. If your game is under active development, you can use a new version of the Unity Editor to rebuild your game. For developers that are unable to rebuild their game, Unity has released patched versions of the UnityPlayer.dll runtime file that can be dropped into existing game folders. Please refer to Unity’s remediation guide for more information.

Microsoft is directing developers to follow the above advice, and has also issued separate notices aims at gamers:

Microsoft security and game development teams are working to update any game or application that is potentially affected by this Unity vulnerability.

If a Microsoft-owned game or application is not listed and you have installed all available updates, no further action is required. For customers who have automatic updates enabled, fixes will be deployed as they become available. If you have automatic updates turned off, please check to see if you have any updates available for your downloaded apps and games and install the latest update on your device.

Customers who have an impacted app or game installed (see below list) are encouraged to take these steps:

• Temporarily uninstall any impacted Microsoft apps or games until an update is available. For more guidance on how to uninstall, please see the FAQs below.
• Use an up-to-date version of Microsoft Defender to detect and block attempts to exploit this vulnerability.
• Follow guidance from Unity or your platform provider.
• Microsoft-owned games and apps affected by this vulnerability and their requisite updates are documented in the Security Updates Table.

You can keep an eye on the above-mentioned Security Updates Table by visiting the Microsoft Security Response Center.

At the moment there is no evidence that the vulnerability has been exploited, but this is something that is likely to change as awareness grows. While fixes have been pushed out quite quickly, the onus is placed on gamers to install these fixes, and game developers to recompile their games. We will soon hear if enough people take action in time to avoid this becoming a serious problem.