The Unity runtime environment, used in numerous popular games for mobile and desktop devices, contains a vulnerability described by Microsoft as an "untrusted search path." This flaw, identified as CVE-2025-59489 or EUVD-2025-32292, enables attackers to manipulate intents for communication between app components, potentially loading arbitrary libraries and executing malicious code. According to the discoverer known as RyotaK, malicious apps on the same device can exploit this to gain elevated rights, and in some cases, it can be triggered remotely over the internet.

Affected platforms include Android, Linux, macOS, and Windows for apps created with Unity Gaming Engine Editor version 2017.1 or later. Users on Hololens, iOS, Xbox cloud gaming, and Xbox consoles are not impacted. Microsoft lists several of its own titles as vulnerable, including Hearthstone, The Elder Scrolls: Blades, DOOM (2019), Wasteland 3, Fallout Shelter, and Microsoft Mesh PC Applications, among others like Pillars of Eternity and Warcraft Rumble.

Exploit code is already available, prompting urgent action. Microsoft advises uninstalling vulnerable software immediately and checking for updates regularly. An update for Microsoft Mesh PC (version 5.2513.3.0 or newer) is available via auto-update. Unity is developing patches but has not announced a release date. Developers are urged to install corrected Unity software and roll out updates for their applications as soon as possible.

This issue follows Microsoft's recent critical Entra ID vulnerability, highlighting ongoing security challenges in gaming and enterprise software ecosystems.