Android and Windows gamers worldwide potentially affected by bug in Unity game engine

Gamers and game developers are being warned of an urgent need to update their software following the disclosure of a vulnerability in the Unity engine, the world’s most popular games development tool.

The bug, tracked as CVE-2025-59489, exposes apps built using affected versions of Unity to attacks that could execute arbitrary code — meaning a malicious file could hijack permissions granted to a Unity game and run commands using the app’s permissions on a victim’s device.

The company said the vulnerability primarily affects Android, Windows, Linux and MacOS systems but does not appear to be exploitable on iOS devices, nor on games on Xbox, PlayStation or Nintendo Switch.

Unity warned in an advisory that the vulnerability could allow “access to confidential information on end user devices running unity-built applications” although it stressed any code execution “would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.”

“There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has provided fixes that address the vulnerability and they are already available to all developers,” the company stated.

Although there has been no observed exploitation of the bug, the risks are potentially great because of the sheer size of Unity’s footprint on the billions of Android devices globally.

Popular games built with the Unity engine include Pokémon GO, Genshin Impact and Call of Duty: Mobile.

Microsoft warned that vulnerable Microsoft apps and games should be temporarily uninstalled until an update is available, but said “in most cases, you can stay safe by ensuring your games and applications are up to date and Microsoft Defender is running on your device.”

The games platform Steam published a notice for Unity game developers announcing that it would be blocking attempts to launch games that include “any of the four command line parameters listed in the Unity report” that could potentially be malicious.

The bug was reported during the Meta Bug Bounty Researcher Conference in June by RyotaK, a researcher at Japanese cybersecurity company GMO Flatt Security.

In a statement, GMO Flatt Security said: “We appreciate Unity’s commitment to addressing this issue promptly and their ongoing efforts to enhance the security of their platform. Security vulnerabilities are an inherent challenge in software development, and by working together as a community, we can continue to make software systems safer for everyone.”