Massive Unity Security Exploit

/ News / / Unity

Unity have just reported a major security exploit vulnerability affecting most platforms and all versions of Unity going back to Unity 2017 all the way up to the most recent Unity 6.x releases. This exploit targets games and applications created using Unity, not the Unity editor itself. The exploit, demonstrated on Android, enables malicious actors to exploit a security flaw to run arbitrary code. In the Unity Hub, all versions of the Unity editor 2019 and up have an update available that fixes that security vulnerability. Earlier today Unity sent out the following email:


An important message
A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, Linux, and macOS operating systems. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. We have proactively provided fixes that address the vulnerability, and they are already available to all developers. The vulnerability was responsibly reported by the security researcher RyotaK, and we thank him for working with us.

Key Facts:

  • There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
  • Unity has worked in close collaboration with our platform partners who have taken further steps to secure their platforms and protect end users.
  • Released games or applications using Unity 2017.1 or later for Windows, Android, macOS, or Linux may contain this vulnerability.
  • Unity has released an update for each of the major and minor versions of the Unity Editor starting with Unity 2019.1.
  • Unity has released a binary patcher to patch already-built applications dating back to 2017.1.

What Actions Should You Take?
You need to take action if you have developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS. It is imperative that you review the following guidance to ensure the continued safety of your users.

  • If your project is still in active development:
    • Download the patched update for your version of the Unity Editor, available via Unity Hub or the Unity Download Archive, before building and publishing. This will ensure that your releases are fully protected.
  • Games and applications already built:
    • We strongly recommend you download the patched update for your version of the Unity Editor, recompile, and republish your application.
    • We have provided a tool to patch already-built applications dating back to 2017.1 for Android, Windows, and macOS for developers who prefer not to rebuild their projects. The tool can be accessed here.
  • For Android or Windows Applications, some additional protections are being put in place:
    • If your Android application is distributed via Google Play, other third-party Android App stores, or direct download: As an additional layer of defense, Android’s built-in malware scanning and other security features will help reduce risks to users posed by this vulnerability. This does not replace the time critical need to apply the patch update for affected apps. (These protections do not apply to AOSP-based platforms unaffiliated with Google.)
    • If your application targets Windows: For Windows-based applications, Microsoft Defender has been updated and will detect and block the vulnerability. Valve will issue additional protections for the Steam client.
  • If your application employs tamper-proofing or anti-cheat solutions:
    • You will need to rebuild your project with the patched update for your version of the Unity Editor and redeploy to maintain these protections. Patching your existing application isn’t possible because it will trip the tamper protection.

Additional Platforms:

  • For Horizon OS: Meta devices have implemented mitigations so that vulnerable Unity apps running on Horizon OS cannot be exploited.
  • For Linux: The vulnerability presents a much lower risk on Linux compared to Android, Windows, and macOS.
  • For all other Unity-supported platforms, including iOS, there have been no findings to suggest that the vulnerability is exploitable.
  • For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.

Consumer Guidance:

  • There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
  • Advise your users to keep their devices and applications updated, enable automatic updates, and maintain current antivirus software.
  • Encourage security best practices, including avoiding suspicious downloads and routinely updating all software.

Our Commitment: Unity is dedicated to the security and integrity of our platform, our customers, and the wider community. Transparent communication is central to this commitment, and we will continue to provide updates as necessary.

For comprehensive technical details, please consult our patching tool and remediation guideSecurity Advisory, and CVE-2025-59489. If you have any questions, join us in Discussions or if you need additional support you can open up a ticket at support.unity.com.

Please also consult our FAQ.

Your proactive attention to this matter is essential to protect your users and allow you to uphold the highest standards of security.

Key Links

Unity Security Response

CVE-2025-59489: Arbitrary Code Execution in Unity

Unity Discussions

You can learn more about the Unity security exploit and the acts taken to mitigate it in the video below.

Scroll to Top