Obsidian Entertainment just pulled multiple games from Steam and other digital storefronts after Unity disclosed an eight-year-old security vulnerability affecting titles built with Unity 2017.1 and later. Pillars of Eternity II: Deadfire, Pentiment, and various editions of Grounded 2 and Avowed disappeared from sale on October 3 as the studio scrambles to implement emergency patches protecting players from potential code execution attacks.
What the Unity Vulnerability Actually Is
Security researcher RyotaK from GMO Flatt Security discovered the flaw during Meta’s Bug Bounty Researcher Conference in May 2025. The vulnerability, officially designated CVE-2025-59489, affects the Unity Runtime in games and applications built with Unity 2017.1 and later versions for Android, Windows, Linux, and macOS. Attackers could potentially execute code and extract sensitive information at the privilege level of the vulnerable application.
Unity assigned it a CVSS score of 8.4 out of 10, landing firmly in high-severity territory. The company claims there’s no evidence of any exploitation in the wild and no impact on users or customers so far, but now that the vulnerability is publicly disclosed, that window won’t stay open forever. Unity patched the issue on October 2, nearly four months after the initial discovery on June 4.
Which Obsidian Games Were Pulled
Obsidian’s X post detailed the full list of temporarily delisted titles. Grounded 2 Founders Edition and Founders Pack both got pulled, along with Avowed Premium Edition and Premium Edition Upgrade. The Avowed listings are particularly interesting since the actual game runs on Unreal Engine 5, but the digital artbook included with premium editions was created using Unity, making those SKUs vulnerable.
Both Pillars of Eternity games were affected. The Hero Edition and Definitive Edition of the first game disappeared alongside Pillars of Eternity II: Deadfire and its Ultimate Edition. Pentiment, Obsidian’s narrative adventure set in 16th century Bavaria, also got removed. The timing particularly stings since Pillars of Eternity II: Deadfire and Pentiment were both discounted during Steam’s ongoing Autumn Sale, cutting off access to great deals right when players wanted to buy them.
The Temporary Nature of the Delisting
Obsidian emphasized that the removals are precautionary measures to keep players safe while patches are implemented. The studio apologized for any inconvenience and promised to restore games as soon as fixes are ready. Players who already own these titles can still access them in their libraries, though Obsidian strongly encourages updating as soon as patches become available.
How Other Developers Are Responding
Not every studio chose Obsidian’s cautious approach of delisting games entirely. No Rest for the Wicked developer Moon Studios rolled out a quick patch addressing the Unity vulnerability without removing the game from sale. Their X post reassured players that saves and gameplay are safe, urging everyone to simply hit update and continue playing. The game is currently 30 percent off on Steam, and Moon Studios positioned the patch as a non-disruptive security fix.
Cities: Skylines II pushed out a Unity Security Hotfix labeled v1.3.5f1 as a free patch live on Steam, with Microsoft Game Pass versions following shortly after. Colossal Order handled it as routine maintenance rather than an emergency requiring delistings. The split in responses shows how different studios assess risk and prioritize player safety versus maintaining sales momentum.
Platform-Level Protections Already in Place
Unity’s announcement emphasized that major platform holders implemented their own safeguards even before individual games got patched. Valve released an updated Steam client incorporating mitigations against the exploit. Microsoft upgraded Windows Defender to detect and block the vulnerability automatically. Google’s Android security infrastructure and Meta’s platforms also added protective measures.
Interestingly, the vulnerability doesn’t appear exploitable on iOS, tvOS, visionOS, Nintendo Switch, PlayStation, UWP, or WebGL according to Unity’s advisory. That narrows the attack surface considerably, though Windows and Android represent massive user bases where the risk remains real until every affected game gets patched and players actually download those updates.
The Eight-Year Problem
Unity 2017.1 launched in 2017, meaning this exploit has existed dormant for eight years across thousands of commercially released games. The sheer number of affected titles is staggering. Unity powers everything from indie darlings to AAA blockbusters, and any game built since 2017 potentially contains the vulnerability unless developers proactively recompile with patched Unity versions.
Unity provided fixes for versions going back to Unity 2019, plus a Binary Patch tool that automatically patches existing builds for Android, Windows, and macOS without requiring full recompilation. Linux support is notably absent from the patcher, forcing Linux developers to rebuild applications using the patched Unity Editor if they want to eliminate the vulnerability. Unity justified this by stating Linux’s lower risk profile in typical deployment scenarios made a dedicated patcher unnecessary.
The Developer Burden
Patching eight years of released games represents a massive undertaking for studios, especially smaller teams with limited resources. Developers need to download updated Unity editors, recompile projects, test for compatibility issues, and republish across multiple storefronts. Games that haven’t received updates in years might not even have maintainers actively working on them anymore, creating orphaned software that remains permanently vulnerable.
The Binary Patch tool helps, but it doesn’t work with games that have anti-cheat or tamper-proofing measures built in. Those titles require full recompilation, which takes significant time and testing to ensure nothing breaks. For live service games with active player bases, taking servers down to implement emergency patches disrupts operations and costs revenue. The cascading effects touch every corner of the gaming ecosystem.
Community Reaction and Concerns
Reddit discussions highlighted how Unity’s string of controversies keeps damaging its reputation. The infamous runtime fee fiasco from 2023 already soured many developers on the platform. Now a critical security vulnerability that sat undetected for eight years adds fuel to the fire. Some commenters questioned how Unity’s security audits and code reviews could miss something this significant for so long.
Others praised RyotaK for following responsible disclosure practices, reporting the vulnerability privately to Unity and giving them time to develop fixes before going public. That’s the correct approach, but it also means the exploit existed in private knowledge for months before patches became available. The timeline from discovery in June to public disclosure in October represents a balance between giving developers time to fix issues and informing the public about risks.
Frequently Asked Questions
Why was Pillars of Eternity 2 removed from Steam?
Obsidian Entertainment temporarily delisted Pillars of Eternity II: Deadfire and other Unity-based titles on October 3, 2025 to protect players while implementing emergency patches for a critical Unity security vulnerability affecting games from 2017 onward.
What is the Unity security vulnerability CVE-2025-59489?
It’s a high-severity flaw in Unity Runtime affecting games built with Unity 2017.1 and later for Android, Windows, Linux, and macOS. Attackers could potentially execute code and extract sensitive information from devices running vulnerable applications.
Can I still play Pillars of Eternity 2 if I already own it?
Yes, players who already own affected games can still access them in their libraries. Obsidian encourages updating as soon as patches become available to protect against the vulnerability.
What other Obsidian games were removed?
Obsidian pulled Grounded 2 Founders editions, Avowed Premium editions, both Pillars of Eternity games, and Pentiment from digital storefronts. All removals are temporary while security patches are implemented.
How long has this Unity vulnerability existed?
The vulnerability has existed since Unity 2017.1 launched in 2017, making it an eight-year-old security flaw that went undetected until researcher RyotaK discovered it in May 2025.
Are console games affected by the Unity exploit?
The vulnerability doesn’t appear exploitable on iOS, tvOS, visionOS, Nintendo Switch, PlayStation, UWP, or WebGL according to Unity. Only Android, Windows, Linux, and macOS versions are affected.
How do developers fix games with this vulnerability?
Developers can download patched Unity editors and recompile their games, or use Unity’s Binary Patch tool for Android, Windows, and macOS builds. Linux requires full recompilation, and games with anti-cheat measures can’t use the patcher.
Conclusion
An eight-year-old security vulnerability hiding in one of gaming’s most popular engines creates a nightmare scenario for developers and players alike. Obsidian’s decision to pull games from sale shows responsible prioritization of player safety over short-term revenue, especially with discounted titles during a major Steam sale. Other studios are handling it differently, but the core message remains the same: if you own Unity-based games built since 2017, watch for updates and install them immediately. The patches are out there, but they only work if developers implement them and players actually download the fixes.