Unity instructing developers to patch ALL products created with Unity 2017.1 and later, effects Android, iOS, and PC platforms!

Miyazaki’s Slave

Miyazaki’s Slave

Gold Member
AKA, nightmare fuel for developers especially heading into a weekend!

No details on what the security vulnerability is inside of their warning emails but I can say I do not remember ever getting one of these from Unity over the last 15 years.

Sorry for the wack formatting...

********************
An important message

A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, Linux, and macOS operating systems. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. We have proactively provided fixes that address the vulnerability, and they are already available to all developers. The vulnerability was responsibly reported by the security researcher RyotaK, and we thank him for working with us.

Key Facts:
  • There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
  • Unity has worked in close collaboration with our platform partners who have taken further steps to secure their platforms and protect end users.
  • Released games or applications using Unity 2017.1 or later for Windows, Android, macOS, or Linux may contain this vulnerability.
  • Unity has released an update for each of the major and minor versions of the Unity Editor starting with Unity 2019.1.
  • Unity has released a binary patcher to patch already-built applications dating back to 2017.1.
What Actions Should You Take?
You need to take action if you have developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS. It is imperative that you review the following guidance to ensure the continued safety of your users.
  • If your project is still in active development:
    • Download the patched update for your version of the Unity Editor, available via Unity Hub or the Unity Download Archive, before building and publishing. This will ensure that your releases are fully protected.
    • We strongly recommend you download the patched update for your version of the Unity Editor, recompile, and republish your application.
    • We have provided a tool to patch already-built applications dating back to 2017.1 for Android, Windows, and macOS for developers who prefer not to rebuild their projects. The tool can be accessed here.
Additional Platforms:

  • For Horizon OS: Meta devices have implemented mitigations so that vulnerable Unity apps running on Horizon OS cannot be exploited.
  • For Linux: The vulnerability presents a much lower risk on Linux compared to Android, Windows, and macOS.
  • For all other Unity-supported platforms, including iOS, there have been no findings to suggest that the vulnerability is exploitable.
  • For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.
Consumer Guidance:
  • There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
  • Advise your users to keep their devices and applications updated, enable automatic updates, and maintain current antivirus software.
  • Encourage security best practices, including avoiding suspicious downloads and routinely updating all software.
Our Commitment: Unity is dedicated to the security and integrity of our platform, our customers, and the wider community. Transparent communication is central to this commitment, and we will continue to provide updates as necessary.
For comprehensive technical details, please consult our patching tool and remediation guide, Security Advisory, and CVE-2025-59489. If you have any questions, join us in Discussions or if you need additional support you can open up a ticket at support.unity.com.
Please also consult our FAQ.

Your proactive attention to this matter is essential to protect your users and allow you to uphold the highest standards of security.
 
Last edited:
Zw
 
Holy fuck, 2017.1 is a super old version. This basically includes almost all Unity projects that are now being sold. To patch this pretty likely is going to be a big pain in the ass for many people.
 
yurinka said:
Holy fuck, 2017.1 is a super old version. This basically includes almost all Unity projects that are now being sold. To patch this pretty likely is going to be a big pain in the ass for many people.
Click to expand...
Been up since 4:15 my time trying to do JUST that.

It is a GIGANTIC pain in the ass especially when you have to deal with enterprise apps.
 
Last edited:
Our lord and savior Gaben has released a new Steam version which includes a wrapper protecting from this vulnerability:

steamcommunity.com

Steam :: Steam News :: Steam Client Update - October 2nd

A new Steam client has been released and will be automatically downloaded. General Added mitigations for Unity CVE-2025-59489, blocking a game launch through the Steam Client when an exploit attempt is detected. Added "End of Life" alert for 32-bit versions of Windows. Currently Windows 10...
steamcommunity.com steamcommunity.com

Make sure to update your Steam, people!

shaking gabe newell GIF
 
Does Valve charge to put up patches separately from their 30%? I thought I remember something during the ps3 or ps4 era, that it would cost devs like 20k a patch. If that's the case, is Unity going to pay for it? Again, I might be misremembering things.
 
Itchy Tickles said:
Does Valve charge to put up patches separately from their 30%? I thought I remember something during the ps3 or ps4 era, that it would cost devs like 20k a patch. If that's the case, is Unity going to pay for it? Again, I might be misremembering things.
Click to expand...
Steam does not charge for patch releases.

Back in the day on consoles you would get a certain amount of patches included with the cost of your certification fees. Outside of those, yes, it was an additional cost.

Now most of that is automated depending on the platform.
 
GrayChild said:
Our lord and savior Gaben has released a new Steam version which includes a wrapper protecting from this vulnerability:

steamcommunity.com

Steam :: Steam News :: Steam Client Update - October 2nd

A new Steam client has been released and will be automatically downloaded. General Added mitigations for Unity CVE-2025-59489, blocking a game launch through the Steam Client when an exploit attempt is detected. Added "End of Life" alert for 32-bit versions of Windows. Currently Windows 10...
steamcommunity.com steamcommunity.com

Make sure to update your Steam, people!

shaking gabe newell GIF
Click to expand...
Oh, Steam makes sure to update itself all the time, it's unescapable lol
 
You must log in or register to reply here.

Similar threads

When it comes to animations and visuals, AC Unity puts the later AC games to shame
42
481
The_Observer replied
Roguelite action RPG Solo Leveling: KARMA announced for PC, iOS, and Android
News Trailer 
5
764
LordCBH replied
Nintendo Shadowdrop Fire Emblem Shadows (iOS/Android), RTS Gameplay with Traitor Mechanism
17
192
Jinzo Prime replied
Monster Hunter Outlanders gets a new gameplay trailer at TGS 2025, closed beta announced (iOS and Android)
Trailer 
2
80
pulicat replied
  • Locked
NateTheHate: RDR2 next gen patch rumours are true and coming later this year
0
200
cormack12 replied
Top Bottom