Critical Vulnerability Found in Unity Engine! What Legal Liability Do Game Developers Face for Not Fixing It?
Details the administrative, civil, and criminal liabilities under Chinese cybersecurity and personal information protection laws that game developers face if they fail to patch the high-risk CVE-2025-59489 privilege escalation vulnerability in Unity, including fines up to 5% of annual turnover and potential imprisonment for responsible personnel.
Did everyone in the gaming industry enjoy their holiday?
Time to get back to work!
Recently, Unity Technologies suddenly released an important security update notice, disclosing a high-risk vulnerability.
This vulnerability affects an extremely wide range of versions, from the old 2017 versions to the latest 6000 series, covering almost all versions.
In other words, if you’re using an official version of Unity, your project is likely affected.
So the question is:
What happens if you pretend not to see it and skip the update?
What legal liability would you face?
*This article reflects only the author’s personal views and does not constitute legal advice or a legal opinion.
I. How “Toxic” Is This Vulnerability?
This vulnerability (CVE-2025-59489) is a privilege escalation bug.
In simple terms, hackers can exploit it to “do whatever they want” on a player’s computer or phone.
For example, secretly running malicious code, or stealing all the information your game application can access.
The affected runtime platforms include Android, Windows, Linux, and MacOS (iOS users — victory):
The affected Unity versions go all the way back to 2017:
Unity’s official risk rating is “High,” and the CVSS score is 8.4 (out of 10).
Although Unity has stated that “there is currently no evidence that this vulnerability has been exploited or has caused any impact on users or customers,” considering that this vulnerability spans nearly 8 years and was reported as far back as June, with such a significant “back door” left open, who can guarantee that nothing will go wrong?
Unity’s recommendation is: “All developers with affected projects must take action.”
II. Unity’s Official “Prescription”
Fortunately, better late than never.
Unity has provided two remediation options:
Update Unity Version
The most thorough approach is to upgrade the Unity version for everyone (at least on the build machines) to the official “patched version,” then re-package and re-submit the game.
Simple, direct, and effective.
Apply the Patch
However, if the project is too large, or if some plugin or resource dependencies are tightly bound to a specific version, or if the project was built with old 2017/2018 versions and the source code is lost, making it impossible to rebuild, Unity also offers a “minimally invasive” solution:
Use the official Unity Binary Patch tool to replace only the problematic runtime library.
For specific remediation instructions, refer to the following link:
Two options — one should work for your project.
III. What Legal Liability for Not Fixing It?
“Ugh, we’re already overwhelmed developing the new version — when would we have time to patch?”
“This is Unity’s vulnerability. If something goes wrong, shouldn’t Unity be fined, not us?”
“My game isn’t being updated and is just running on a server (or is a single-player game). Why do I need to fix it?”
Based on my understanding of development teams, I’m sure these sentiments are not uncommon.
(Dear reader, are you thinking the same?)
But here’s the thing —
You could very well be penalized.
Administrative Liability
Article 22 of the Cybersecurity Law of the People’s Republic of China states:
Article 22: Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; if they discover security defects, vulnerabilities, or other risks in their network products or services, they shall immediately take remedial measures, inform users in a timely manner as required, and report to the relevant authorities. Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not terminate security maintenance within the prescribed period or the period agreed upon by the parties.
This means that when a product has a security vulnerability, any developer must immediately begin fixing it, and must provide “continuous” security maintenance services, as long as the server is running, people are still playing, or the game is still on the app store.
If the vulnerability is not fixed, the company may face a fine of up to 500,000 yuan, and the directly responsible person (boss, producer) may face a fine of up to 100,000 yuan.
Article 60: Anyone who violates Article 22, Paragraphs 1 or 2, or Article 48, Paragraph 1 of this Law, in any of the following ways, shall be ordered to correct and given a warning by the relevant authorities; if they refuse to correct or cause consequences such as endangering network security, they shall be fined between 50,000 and 500,000 yuan, and the directly responsible supervisor shall be fined between 10,000 and 100,000 yuan: (1) Setting up malicious programs; (2) Failing to immediately take remedial measures for security defects, vulnerabilities, or other risks in their products or services, or failing to promptly inform users and report to the relevant authorities as required; (3) Unilaterally terminating security maintenance for their products or services.
If a game or app built with Unity also collects user personal information — or even sensitive personal information — and this vulnerability is exploited, leading to data leakage or misuse, this may also violate the protection obligations under the Personal Information Protection Law of the People’s Republic of China.
The consequences:
A fine of up to 50 million yuan or up to 5% of the previous year’s turnover, suspension of operations, or even revocation of relevant business permits or business licenses for the company; a fine of up to 1 million yuan for the directly responsible supervisor and other directly responsible personnel.
Article 66: Anyone who processes personal information in violation of this Law, or who fails to fulfill personal information protection obligations as required, … shall be ordered to suspend or terminate the provision of services for the application that processed personal information in violation of the law; if they refuse to correct, a fine of up to 1 million yuan shall be imposed; the directly responsible supervisor and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan. If the illegal act as described in the preceding paragraph is serious, … a fine of up to 50 million yuan or up to 5% of the previous year’s turnover shall be imposed, and the offender may be ordered to suspend relevant business or undergo rectification, and the relevant authorities shall be notified to revoke relevant business permits or business licenses; the directly responsible supervisor and other directly responsible personnel shall be fined between 100,000 and 1 million yuan, and may be prohibited from serving as directors, supervisors, senior management, or personal information protection officers of relevant companies for a certain period.
Civil Liability
At the same time, if user losses or personal information leaks occur due to the failure to fix the vulnerability, this may also constitute a violation of the Civil Code (Tort Liability Chapter) and the Personal Information Protection Law, requiring compensation to the affected users.
Civil Code:
Article 1197: If a network service provider knows or should know that a network user is using its network service to infringe upon the civil rights and interests of others, and fails to take necessary measures, it shall bear joint and several liability with the network user.
Personal Information Protection Law:
Article 69: If handling personal information infringes upon personal information rights and causes damage, and the personal information processor cannot prove that it is not at fault (Note: because the patch was not applied in a timely manner, it is difficult to prove “no fault”), it shall bear tort liability such as damages. The damages liability under the preceding paragraph shall be determined based on the losses suffered by the individual or the benefits gained by the personal information processor; if the individual’s losses and the processor’s gains are difficult to determine, the amount of damages shall be determined based on the actual circumstances.
Criminal Liability
Is that all?
Not yet.
Article 286-1 of the Criminal Law also provides for the “crime of refusing to fulfill information network security management obligations.”
Article 286-1: [Crime of Refusing to Fulfill Information Network Security Management Obligations] If a network service provider fails to fulfill the information network security management obligations prescribed by laws and administrative regulations, and, after being ordered by the regulatory authorities to take corrective measures, refuses to correct, and any of the following circumstances occurs, shall be sentenced to up to three years of fixed-term imprisonment, criminal detention, or public surveillance, and shall also be fined or solely fined: (1) Causing a large amount of illegal information to spread; (2) Causing user information to be leaked, resulting in serious consequences; (3) Causing criminal case evidence to be lost, where the circumstances are serious; (4) Having other serious circumstances. If a unit commits the crime in the preceding paragraph, a fine shall be imposed on the unit, and the directly responsible supervisor and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph. If the acts in the preceding two paragraphs simultaneously constitute other crimes, the conviction and punishment shall be based on the provision with the heavier penalty.
In extreme cases (e.g., after receiving a Rectification Notice and still not fixing it), if hackers exploit the vulnerability, leading to user information leakage with serious consequences, the company’s relevant responsible personnel
may really end up “making license plates” (serving prison time).
IV. What If My Game Is Only Released Overseas?
“My game is only for overseas markets, with only foreign users. These domestic laws can’t touch me, right?”
In fact, shortly after Unity’s official announcement, well-known overseas games such as MARVEL SNAP and Among Us immediately released patches.
Microsoft went so far as to directly remove multiple affected games from the store, recommending that users uninstall some games that were in the process of being patched — including Hearthstone.
Why is even Microsoft so “reactive”?
The reason is:
Laws abroad, especially those related to data security, are only more stringent and impose heavier fines.
For example, the EU’s GDPR, known as the “toughest data protection regulation in history.” If a vulnerability causes user information leaks, this constitutes a serious violation.
Once found in violation and fined, the maximum penalty is “20 million euros” or “4% of the global annual turnover” — whichever is higher.
For many companies, this would essentially be bankruptcy.
Another example is the California Consumer Privacy Act (CCPA/CPRA).
Its most powerful feature is that it allows users to initiate class action lawsuits.
In the event of a data breach, each affected user can claim statutory damages of $100 to $750.
Imagine if a game has hundreds of thousands of users in California — the compensation amount would be an “impossible-to-ignore” astronomical figure.
Therefore, if your projects involve overseas markets, especially operations in Europe or the US, it is even more recommended to apply the patch as soon as possible.
V. Conclusion
The holiday’s over — it’s time to get back to work.
Start by patching your project.
When it comes to security vulnerabilities, you cannot afford to be careless.
At the very least, don’t say, “Let’s deal with it next year.”
