The runtime environment for the Unity game engine is used in various popular games. Microsoft has now reported a serious security vulnerability that allows attackers to execute malicious code. The manufacturer advises users to uninstall affected software until updates are available.

Microsoft describes the vulnerability as an “untrusted search path,” which is in line with the description from the manufacturer Unity but falls short according to the bug report from the vulnerability discoverer with the handle RyotaK. The Unity runtime environment uses intents for communication between app components, and apparently not only on Android. Attackers can use malicious intents to control command-line parameters that are passed to Unity apps. This allows them to load arbitrary libraries and execute malicious code, for example. Malicious apps on the same device as the Unity apps can thus gain the rights to them. In some cases, this can even be exploited from the internet (CVE-2025-59489 / EUVD-2025-32292, CVSS 8.4, risk “high”).

Apps and games created with the Unity Gaming Engine Editor in version 2017.1 or newer are affected. However, not on all platforms: while users on Android, Linux, macOS, and Windows need to take action, those with Hololens, iOS, Xbox cloud gaming, and Xbox consoles can sit back and relax; the latter are not vulnerable.

Take countermeasures now

Exploit code is available, according to Microsoft. Potentially impacted users should therefore take action. Anyone using vulnerable Microsoft apps or games should uninstall them until an update is available, the manufacturer recommends. The manufacturer is working on updates but has not given a planned date for their availability. Developers should install the corrected Unity software and release updates for their apps or games as soon as possible. In addition to games, Microsoft’s “Mesh PC” programs are also impacted. Version 5.2513.3.0 or newer plugs the security gaps and is said to have already arrived on affected machines with the auto-update activated.

Microsoft lists the following apps and games as vulnerable:

• Microsoft Mesh PC Applications
• Pillars of Eternity
• Hearthstone
• Grounded 2 Artbook
• Zoo Tycoon Friends
• The Elder Scrolls: Legends
• Mighty Doom
• Halo Recruit
• Gears POP!
• Forza Customs
• DOOM II (2019)
• DOOM (2019)
• Wasteland Remastered
• Wasteland 3
• Warcraft Rumble
• The Elder Scrolls: Castles
• The Elder Scrolls: Blades
• The Elder Scrolls IV: Oblivion Remastered Companion App
• The Bard’s Tale Trilogy
• Starfield Companion App
• Pillars of Eternity: Hero Edition
• Pillars of Eternity: Definitive Edition
• Pillars of Eternity II: Deadfire - Ultimate Edition
• Pillars of Eternity II: Deadfire
• Knights and Bikes
• Ghostwide Tokyo Prelude
• Fallout Shelter
• DOOM: Dark Ages Companion App
• Avowed Artbook In the table in Microsoft’s CVE entry, the company also lists the bug-fixed versions. However, an update is currently only available for the Mesh PC software. Anyone using the affected software should therefore uninstall it and then regularly check whether an update is available. You can then reinstall the software with the new version.

Microsoft recently attracted attention with a critical Entra ID vulnerability. This meant that all tenants could be compromised globally.

(dmk)

Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.