A critical vulnerability (CVE-2025-59489) was disclosed in the Unity engine, the world’s most widely used game development platform, exposing apps built with affected versions to arbitrary code execution attacks. The flaw allows malicious files to hijack permissions granted to Unity-based games, potentially accessing confidential user data on Android, Windows, Linux, and macOS devices (excluding iOS, Xbox, PlayStation, or Nintendo Switch). While no exploitation has been observed yet, the risk is severe due to Unity’s massive global footprint, powering billions of devices and popular games like Pokémon GO, Genshin Impact, and Call of Duty: Mobile. Unity released patches, and platforms like Steam blocked launches of games using suspicious command-line parameters. Microsoft advised uninstalling vulnerable apps until updates are available. The bug was reported by RyotaK (GMO Flatt Security) during Meta’s Bug Bounty Conference. Though no data breaches or user impact occurred, the vulnerability could have enabled unauthorized data access within the privileges of the affected application, posing significant risks to end-user confidentiality and system integrity.

Unity Technologies, a video game software development firm, suffered a data breach on its SpeedTree website due to malicious code injected into the checkout page. The unauthorized code, active from March 13, 2025, to August 26, 2025, skimmed sensitive customer payment data during purchases. Compromised information included names, addresses, emails, credit card numbers, and access codes of 428 affected individuals. The breach was discovered on August 26, 2025, prompting Unity to disable the website, remove the malicious code, and launch an investigation. The company notified impacted customers, authorities, and offered 12 months of free credit monitoring and identity protection via Equifax. The incident was attributed to a web skimming attack, where threat actors intercepted payment details entered by users during transactions.

A critical vulnerability (CVE-2025-59489) was discovered in Unity, the widely used game engine, allowing malicious apps on the same device to inject command-line arguments into Unity-based games to execute arbitrary code. Discovered by researcher RyotaK (GMA Flatt Security), the flaw affects all games compiled with Unity Editor 2017.1 or later—covering eight years of releases. While Xbox games are unaffected, Windows and Android games are highly vulnerable, with potential remote exploitation via browsers in rare cases. The bug is easy to exploit and poses a massive attack surface due to Unity’s ubiquity in gaming (used by millions of titles). Microsoft and Steam took emergency measures: Microsoft urged users to uninstall Unity games until patched, while Steam blocked launches of Unity games using exploitable command-line parameters. Developers must recompile and redistribute patched versions, creating a logistical challenge. The flaw’s severity is amplified by Unity’s dominance in indie and AAA game development, risking large-scale malware distribution, credential theft, or system takeovers via compromised games. Active exploitation is highly likely given the low barrier for attackers and the sheer volume of vulnerable installations in enterprise and consumer environments.