Описание
MITRE: CVE-2025-59489 Unity Gaming Engine Editor vulnerability
Unity announced a security vulnerability (CVE-2025-59489) that is affecting games or applications built with the Unity Gaming Engine Editor (version 2017.1 or later).
You may be using a Microsoft app or playing a Microsoft game that should be uninstalled until an update is available. We are working to update games and applications that are potentially affected by this Unity vulnerability.
In most cases, you can stay safe by ensuring your games and applications are up to date and Microsoft Defender is running on your device.
If you have downloaded a vulnerable game or app (see list below) on one of the following platforms, you could be at risk:
- Android
- Windows
- Linux (Desktop)
- Linux (embedded)
- MacOS
We have confirmed the following are not impacted:
- Xbox consoles
- Xbox Cloud Gaming
- iOS
- HoloLens
Recommended Next Steps:
For Developers: Unity has made a fix available to developers. Organizations who believe that they have an app or game that might be impacted should reference Unity guidance and update their apps/games as soon as possible. You can learn more from Unity here.
For Players and Customers: Microsoft security and game development teams are working to update any game or application that is potentially affected by this Unity vulnerability.
If a Microsoft-owned game or application is not listed and you have installed all available updates, no further action is required. For customers who have automatic updates enabled, fixes will be deployed as they become available. If you have automatic updates turned off, please check to see if you have any updates available for your downloaded apps and games and install the latest update on your device.
Customers who have an impacted app or game installed (see below list) are encouraged to take these steps:
- Temporarily uninstall any impacted Microsoft apps or games until an update is available. For more guidance on how to uninstall, please see the FAQs below.
- Use an up-to-date version of Microsoft Defender to detect and block attempts to exploit this vulnerability.
- Follow guidance from Unity or your platform provider.
- Microsoft-owned games and apps affected by this vulnerability and their requisite updates are documented in the Security Updates Table.
For Microsoft Mesh Apps Users
In response to this CVE that is affecting applications built with the Unity Gaming Engine Editor (version 2017.1 or later), Microsoft has released a required security update for the Microsoft Mesh PC applications. We strongly encourage all users with the Microsoft Mesh apps installed on their devices to promptly update to the latest version of these apps, version 5.2513.3.0 or greater. If you have automatic updates enabled for these apps on all devices, no further action is required.
While we do not expect this to affect the functionality of any previously-scheduled events in Microsoft Mesh, use of the immersive spaces in Microsoft Teams meetings, or immersive events in Microsoft Teams, users will be required to update the Mesh PC apps before joining newly scheduled events in Mesh. We are informing you of this now so that you can mitigate any disruptions this may introduce to your events.
FAQ
Why are there no links to updates in the Security Updates Table?
This document will be updated with more information as it becomes available. We recommend allowing automatic updates for the apps on your platform.
I am using an impacted game or app, what should I do?
You should uninstall the impacted application until an update is available. Updates are being released regularly, you can check this page to see if the impacted application has been removed from the “Updates in Progress” list above or check for available updates on your device. We also encourage customers to subscribe to Security Update Guide notifications to be alerted of updates for impacted games/apps. This Advisory and the related CVE will be updated with new information as needed and will link to any future security updates released.
How do I check for and install updates for my games or apps?
Windows customers can learn more here. If you are using another platform, please refer to their guidance.
How do I uninstall an impacted game or application?
To uninstall an app or game on Windows, press the Windows logo key on your keyboard or toolbar, and then enter settings in the search bar. Select Settings from the results, and then go to Apps > Apps & features or Installed apps, depending on your version of Windows. If you're on a Windows 10 device, choose the game that you want to uninstall from the list and then select Uninstall two times. On Windows 11, select the More actions button (“…”), and then select Uninstall two times. If you're on a Windows 10 device, choose the game that you want to uninstall from the list and then select Uninstall two times. On Windows 11, select the More actions button (“…”), and then select Uninstall two times.
How do I know if my game is impacted?
You can review the above list for impacted Microsoft titles. If the game you are playing is not listed and you have installed all available security updates, no further action is required. The above list is only representative of first-party Microsoft games.
I am playing one of the impacted games on Xbox console, should I be worried?
No. Console games and cloud gaming are not impacted.
Are there any games that were vulnerable but Microsoft has already released security updates for?
Yes, our teams have already released updates for some games and applications that were built on the effected version of Unity Editor. Those games and apps will be listed in the soon-to-be-published CVE-2025-59489.
When will updates be available for the games and apps that have not been updated?
Microsoft does not provide ETAs for security updates. Solutions to security issues are tested to ensure quality prior to release and will be published to the Microsoft Store once validation has been completed.
Are there any mitigations that can be deployed until a patch is available?
The game or app can be uninstalled and reinstalled once a patched version is available, please see MITRE: CVE-2025-59489 Unity Gaming Engine Editor vulnerability for the current status.
Additionally, Windows Defender will block exploitation attempts, Defender definitions version 1.437.296.0 and above have the following detections:
- Exploit:Win32/CVE-2025-59489
- Exploit:Win32/CVE-2025-59489.B
- Behavior:Win32/CVE-2025-59489
Are handheld devices affected?
Devices running Windows are affected, including desktops, laptops and handheld devices.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Mesh PC Applications | ||
| Microsoft Mesh for Meta Quest |
Показывать по
EPSS
8.4 High
CVSS3
Связанные уязвимости
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
Unity Editor 2019.1 through 6000.3 could allow remote attackers to exploit file loading and Local File Inclusion (LFI) mechanisms via a crafted local application because of an Untrusted Search Path. This could permit unauthorized manipulation of runtime resources and third-party integrations. The issue could affect applications built using Unity and deployed across Android, Windows, macOS, and Linux platforms.
EPSS
8.4 High
CVSS3