Unity Technologies has issued an urgent warning to developers after discovering a critical security vulnerability that has existed undetected in its game engine for almost a decade. The flaw, affecting multiple Unity versions dating back to 2016, could allow attackers to execute arbitrary code, compromise projects, or gain unauthorized access to player data.

According to Unity’s security bulletin, the vulnerability lies in how the engine handles certain asset bundle imports and shader compilation processes. Maliciously crafted files could exploit the flaw to inject harmful code, posing a major threat to developers who build or run unverified Unity projects. The company has labeled the issue as high severity and strongly advised all users to apply the latest patches immediately.

“This vulnerability has been present for far too long,” Unity acknowledged in its statement. “We’re taking comprehensive steps to protect developers and ensure this kind of oversight doesn’t happen again.”

Unity has already rolled out fixed versions across its major LTS (Long Term Support) releases and is working closely with cybersecurity firms to assess the full scope of the issue. Developers using outdated Unity builds are urged to update their projects to patched versions to avoid potential exploitation.

The revelation comes as the gaming industry faces a growing wave of supply-chain and build-system attacks, where attackers target development environments rather than end-user systems. Security experts note that the Unity vulnerability highlights how long-lived codebases can accumulate hidden risks when security audits are infrequent.

Industry analysts warn that the exposure could have wide-reaching implications. With Unity powering thousands of mobile, console, and VR titles globally, the flaw might have left a massive attack surface open for years. Fortunately, there’s no confirmed evidence yet of real-world exploitation.

Unity has committed to conducting a full postmortem and releasing a transparency report detailing how the vulnerability was discovered, how long it remained dormant, and what additional measures will be implemented to prevent future occurrences.

For developers, the message is clear: update immediately, review build pipelines, and avoid loading untrusted assets until all projects are secured.

Source: PC Gamer