Unity has urged developers to act immediately following the revelation of a serious security flaw in its game development software. According to a post by Larry Hryb, also known as “Major Nelson,” the vulnerability affects games built with Unity versions dating back to 2017. Although Unity states that there is “no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers,” it has already made fixes available to developers.
Vulnerable versions and mitigation
Unity indicates that the exploit could affect any game or application built with Unity 2017.1 or later targeting Windows, Android or macOS. Hryb emphasises that all affected developers should update their software without delay. “You have developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS,” he says, “you need to take action.” Unity says its platform partners have also “taken further steps to secure their platforms and protect end users.”
Valve has issued a newer version of Steam that includes mitigations against the exploit. On Windows, Microsoft Defender has been updated to “detect and block the vulnerability,” Hryb explains. He adds that Google and Meta have also taken responsive measures. Importantly, Unity notes there are “no findings to suggest” that the flaw can be exploited on iOS, visionOS, tvOS, Xbox, Nintendo Switch, PlayStation, UWP, Quest or WebGL.
Developer responses and game updates
In the wake of the disclosure, many developers have responded swiftly. Obsidian has temporarily removed several of its titles from digital storefronts—including Grounded 2 Founders Edition, Avowed Premium Edition, Pillars of Eternity: Hero Edition, Pillars of Eternity II: Deadfire, and Pentiment—until the necessary security updates can be applied.
A security vulnerability affecting our games that use Unity has recently been identified.
— Obsidian (@Obsidian) October 3, 2025
As a precaution and to keep you safe, we have temporarily removed the following titles and products from digital storefronts while we implement the necessary updates to address the issue:…
Other games have already received fixes. Marvel Snap, No Rest for the Wicked, Ingress, and Fate/Grand Order have all been updated to address the issue. Atlus has confirmed that Persona 5: The Phantom X will also receive an update.
Technical details and risk implications
The public Common Vulnerabilities and Exposures (CVE) record warns that “if an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running.” In other words, an attacker could potentially run unauthorised code or steal data from a user’s device if the affected game is executed there.
Although there is no current indication that the vulnerability has been exploited in the wild, Unity’s call for “immediate action” underscores the importance of rapid mitigation. Developers working with Unity versions from 2017 onwards should prioritise applying the available patches and updates to protect end users and maintain platform security.
