
On October 3, Unity sent an email alerting developers about a vulnerability found in the engine’s code affecting games released since 2017. Currently, there is no evidence that this Unity engine vulnerability has been exploited, but the advisory has led developers into a race against time to patch their games.
Originally launched in 2005, the Unity engine has powered notable titles such as Hollow Knight: Silksong, Subnautica, and Among Us, making it one of the leading engines in game development due to its versatility across PCs and mobile devices. Although it faced challenges against Godot and Unreal Engine, particularly after a contentious Runtime Fee policy introduced in 2023, Unity retracted these controversial changes in 2024, preserving its subscription model. Unity Personal remains free for developers earning under $200,000 per year.
This security issue has reignited scrutiny of the Unity engine, which reportedly has the vulnerability in versions 2017.1 and onwards, including Unity 6. It affects games across various platforms like Windows, Android, Linux, and macOS. This flaw could potentially allow attackers to access confidential information on affected machines. Fortunately, Unity has indicated that no exploitation has been confirmed and has proactively supplied developers with essential patches to mitigate the issue. Furthermore, Microsoft Defender can identify and block the vulnerability on Windows systems, while Valve is implementing its safeguards through the Steam Client.
In response, Obsidian Entertainment has temporarily pulled titles such as Grounded 2, Pentiment, Avowed, and Pillars of Eternity from digital stores as they work on fixes for the security flaw, assuring customers that they are prioritizing safety and will provide updates on the return of these games. In contrast, other titles, including Among Us and Marvel Snap, have already released updates to tackle the Unity security flaw.
Given the extensive range of games developed with Unity, the total number of titles needing updates to address this vulnerability is yet to be fully determined.