New remote code execution CVE has been found in all Unity games built on the version 2017.1 and later.Impacts all versions, Windows, Linux, MacOS, Android, and iOS.Even unity sent emails out to everybody warning to upgrade ASAP.For the dumbs:>Every multiplayer unity game made after 2017 can result in hackers taking over your PC/Phonehttps://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/
>>722323430>RCE for every multiplayer Unity game made in the last 8 yearsAwesome
can someone translate that shit to it's fucking nothing? because it seems that way to me
>Hijacks with a press of a link on androidhttps://www.youtube.com/watch?v=QEhqb4A_MwQ
I don't play multiplayer games
From the unity forums.>Android App stores, or direct download: As an additional layer of defense, Android’s built-in malware scanning and other security features will help reduce risks to users posed by this vulnerability. This does not replace the time critical need to apply the patch update for affected apps. (These protections do not apply to AOSP-based platforms unaffiliated with Google.)>If your application targets Windows: For Windows-based applications, Microsoft Defender has been updated and will detect and block the vulnerability. Valve will issue additional protections for the Steam client.Maybe not RCE if the game doesn't download .so files from other clients.But still PANIC
Oh is that what this steam update was about then?>https://store.steampowered.com/news/collection/steam/?emclan=103582791457287600&emgid=507340830949770870>Added mitigations for Unity CVE-2025-59489, blocking a game launch through the Steam Client when an exploit attempt is detected
>>722324064Neat
>>722324064>Itch.io games don't have a client like steam
>>722323430>In its default configuration, this vulnerability allowed malicious applications installed on the same device to hijack permissions granted to Unity applications.>In specific cases, the vulnerability could be exploited remotely to execute arbitrary code, although I didn’t investigate third-party Unity applications to find an app with the functionality required to enable this exploit.It's a nothingburger.
>>722323430>>722323646>>722324176Now we can officially declare Steam is not safe for anyone to play games.
DON'T PANIC
>>722324523But Steam has seemed to already implement mitigations for it. >>722324064
>>722323430>Add RCE>Change the Unity License Agreement>"You can stay on older version ;)">Oh no! There's a RCE quick upgrade now!! ;)
i wish unity had a kernel anti-cheat that would've prevented this
>>722324618You can just patch your old executable. No need to upgrade.
>>722324927nta, but they've only fixed version 2019.1 and beyond.So if your game is before that, but greater than 2017.1. Then yeah, you need to upgrade.
>>722323430What about single players games made in Unity after 2017 with no online features?
>Steam already implemented a mitigationbased Gabenall those gacha that are made in Unity, though...
>>722325035If you download an .so file from somewhere, and then click a link it can be exploited.See >>722323773Wonder how the fuck this works with unity games that you don't need to download, and just runs in the browser.
>multiplayerOh another nothing-burger
>>722325109I highly doubt gacha games are still running on a unity version from 8 years ago
>>722323430>>722324047I'm confused, the OP article only metions adroid, and the exploit revolves around "intent" which is some android shit.Why would this matter on PC?
>>722323430good thing I am a console chad.
>>722324574>Allowed crypto stealing game>Allow scammers to upload game>Allow Unity to remote code executionSteam is not safe, 90% of “gamedev” used Unity multiplayer through Steam servers. They’re mostly abandoned and Steam is unwilling to remove those games.
>>722323430>multiplayer unity gameI straight up can't think of any
>>722324064I don't get it, I thought OP was saying the issue was with other players but this sounds like it's a dev issue
>>722325190but op says AFTER
>>722327907Uhhh Carol's game?
>>722328103Oh shit oh fuckMaybe the delay was a good thing then
>>722323430Cool. Going to switch to making games from scratch now. I'm glad the only Unity game I have released was a single player browser game.
>>722328536Scracth is really more of a learning tool than a creating tool, some things are deliberately more complicated than they need to be so you can learn the underlying login behind them
>>722328586Reading comprehension. I said "from scratch" not "using scratch". Two very different things.
>>722323430As a pirate chad I can say that all my games are already full of backdoors and malware so it is not a big issue
>>722328041I'm retarded
>>722328586Lisping fucking retard
>>722323430It's over for VRchat
>>722323430LMAO
>>722324249akshually there is an itch.io desktop client thingno idea why the fuck people would use it though
>>722328536Do you really think you will have the response time to these emergencies to compare to the Unity team?Sorry, making your own engine is cool. Good luck
>>722324249They don't have online servers in general
>>722328103Censored garb
>>722332854Don't plenty of itch.io games have multiplayer servers?
>>722331386I recently used it for a game in early beta that was receiving rapid updates
HOLY FUCK GUYS I'M GETTI̸̺̺͎̰̥̜̯̼̮̰͖̜͂͆̿̈́̿̔N̸̡̧͕͙̼̻̳̦̪̞̯͎̦͓̏̒͌͑͒͊̾͌̑̕͝ͅG̶̺̥̎̄͌͑͂̔̏̓̂́̈́͜͝͝͝͝ͅ Ḩ̵̛̘̤͙͔̝̫̖̻̦̞͙̺̿͘͝Ą̵̺̰̻̻͔͇͓̈́̓͛̏̈́͌͋̄̑͆̏C̴̀͐ͅK̵̢̛̛͉̳̫͔̺̱̗̫̽̉́͋̾́͂͛
>update the engine>90000000 errors appear in the console
>>722333412IT WAS ME
>>722333481source?
