Unity has issued an advisory for developers regarding a significant security vulnerability that affects games created with its development tool since 2017. The company emphasized the need for “immediate action,” although it stated that there is currently “no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.” Unity has provided fixes that developers can apply, as noted by Larry Hryb, also known as “Major Nelson.”
Developers who have released games or applications using Unity versions 2017.1 or later for platforms including Windows, Android, or macOS are particularly urged to take action. Unity mentioned that its platform partners have also implemented additional measures to enhance security and protect end users.
In response to the vulnerability, Valve has already released an updated version of Steam incorporating mitigations. Additionally, Microsoft Defender for Windows has been updated to detect and block the vulnerability. Google and Meta have also taken precautionary steps. Notably, there have been “no findings to suggest” that the vulnerability is exploitable on platforms such as iOS, visionOS, tvOS, Xbox, Nintendo Switch, PlayStation, UWP, Quest, and WebGL.
As detailed in the Common Vulnerabilities and Exposures (CVE) record related to this issue, if an application was built with a version of Unity Editor that contained the vulnerable Unity Runtime code, an unauthorized party could potentially execute code on the affected machine and access confidential information.
Source: https://www.theverge.com/news/791609/unity-security-exploit-developers-update-games