Unity was released in 2005 and has become a staple of the video game industry, with countless successful titles such as Hollow Knight: Silksong, Among Us, and Cuphead being run on the cross-platform engine. The prevalence of Unity-developed games has made the recent discovery of the engine’s security vulnerability all the more impactful. Due to the vulnerability, developers who use the engine are rushing to update their games or temporarily remove them from storefronts in order to prevent harm from befalling players.
On October 2nd, a staff member at Unity revealed that security vulnerability was discovered and reported by a security researcher named RyotaK. In a CVE analysis of the vulnerability, it’s stated that “an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that [Unity Editor application] is running.” The vulnerability was given a high severity score of 7.4/10. The vulnerability was present in all games which have used any Unity version from 2017.1 onward, including those compatible with Android, Windows, Linux, and macOS operating systems.
Despite the vulnerability being introduced in 2017 and continuing to impact games for 8 years, Unity assured developers that “there is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.” The lack of current exploitation does not negate the risk of the vulnerability being exploited in the future, as Unity has urged developers that they “need to take action if you have developed and released a game or application using Unity 2017.1 or later.” Unity also developed fixes for the vulnerability and made them available to all developers who utilized their engine.
Many developers have followed Unity’s advice and began updating their games to phase out the vulnerability. The developers behind popular social-deduction game Among Us have already patched the vulnerability for Android devices and are currently creating updates for other operating systems. The developers behind the card-collectible game Marvel Snap have also released an update designed to combat the Unity vulnerability. Both developers have encouraged players to update their game as soon as possible to prevent potential exploitation.
Other developers have taken more extreme precautions to protect players from the vulnerability. Obsidian, the developers of the Grounded series, have temporarily removed many of their games and DLCs from digital storefronts. Impacted titles include Grounded 2 Founders Edition, Avowed Premium Edition, and Pentiment. The games will be re-instated once updates are implemented which fix the vulnerability. Obsidian apologized to players for the inconvenience and said “our team is working on a fix and will restore these games as soon as possible. We will provide additional information once they are available again.” Obsidian also encourages players who have already downloaded the games to update them as soon as the update is released.
Given the extensive library of games that utilize the Unity engine, it’s unclear how many titles have been impacted. Regardless, it’s safe to say that countless Unity-based titles will be releasing vulnerability related updates in the following days.