1. Cultist Simulator
  2. News
  3. Update 2025.8.f.4 "FULGENTIUS"

Update 2025.8.f.4 "FULGENTIUS"

[h3]2025.8.f.4 FULGENTIUS[/h3]
  • [p]Fixed a bunch of Steam Deck issues that slowly accumulated over time (and resulted in Steam Deck version becoming effectively unplayable).[/p]
  • [p]In-game input hints now properly update once the relevant keybinding changes.[/p]
  • [p]Consistent font size for all input hints.[/p]
  • [p]The Mansus screen can be navigated with the keyboard.[/p]
  • [p]Fixed some errors in Russian localisation.[/p]
  • [p]Fixed the incorrect display of certain alphabetic characters.[/p]
  • [p]Unity security update.[/p]
[p][/p][p]So this is another round of Chel's usual crypt-keeper updates. But the headline points are[/p][p][/p][p](a) Steam Deck controls now work properly again, sorry! - and[/p][p](b) an apologetic security update from Unity![/p][p][/p][p]--[/p][p][/p][p]I'll talk briefly about the security update, because you've probably seen, like me, a steady flow of updates in your Steam library, and most people are a bit vague about what it entails.[/p][p][/p][p]The short version: it's a vulnerability that seems to have been in Unity since 2017, but no one seems to have noticed or used it because it's pretty niche. So you probably dont have much to worry about even in unpatched games. [/p][p][/p][p]The long version: I'm not a cybersecurity bloke, but broadly as I understand it, here's how it worked. There were command line flags in any game built with Unity that could be used to tell your game to load arbitrary code, for example:[/p][p][/p]
cultistsimulator.exe -overrideMonoSearchPath "C:\\somefolder\\ransomware.dll"
[p] [/p][p]Of course someone has to (a) get the code on to your machine or a local network path, then (b) convince you to run the relevant command line, which isn't straightforward. But on Windows, it's quite easy to register an application to open any URL in a specified format, like this[/p][p][/p]
steam://getSteamToDoSomeConfigAction
[p][/p][p]So attacker tricks you into (a) registering "cultist://" as a schema and then (b) gets you to click a link like this[/p][p][/p]
cultist:// -overrideMonoSearchPath "aSimpleHttpURLWouldntWorkButAttackerCouldPotentiallyGetCreativeToMakeYouDownloadAFIle"
[p][/p][p]Windows tells Cultist to start running and supplies the -overrideMonoSearchPath as a launch parameter. Poor Cultist obediently tries to load the file supplied in the malicious link, maybe it works, and if it does, you're now running their code.[/p][p][/p][p]So again, someone still needs to convince you to run an app in the first place to register Cultist as a schema handler, maybe your AV software will flag the download, idk, but the Internet is rife with clever cyber bastards. And it's a bigger deal for a game that actually is registered as a schema handler for genuine reasons.[/p][p]
Either way, it's fixed now, for Cultist and a lot of other games! But there will be unmaintained games out there with the vulnerability forever, so maybe if someone's read this far, I've saved them a visit to the Misery Palace ¯\\_(ツ)_/¯[/p][p][/p][p]https://unity.com/security/sept-2025-01/remediation[/p][p]
https://www.kaspersky.com/blog/update-unity-games-cve-2025-59489/54542/
[/p][p][/p]