Skip to content
POPULAR TODAY Battlefield™ 6 New World: Aeternum Football Manager 26 Battlefield™ 6 Open Beta Call of Duty® Marvel Rivals
Enter Submit to view all results. Ctrl+Enter View and filter in instant search.
Close ×
Search powered by Algolia
7 October 2025 Build 20249566 Edited 7 October 2025 – 20:33:07 UTC by Wendy Share
Update notes via Steam Community

2025.8.f.4 FULGENTIUS

  • Fixed a bunch of Steam Deck issues that slowly accumulated over time (and resulted in Steam Deck version becoming effectively unplayable).

  • In-game input hints now properly update once the relevant keybinding changes.

  • Consistent font size for all input hints.

  • The Mansus screen can be navigated with the keyboard.

  • Fixed some errors in Russian localisation.

  • Fixed the incorrect display of certain alphabetic characters.

  • Unity security update.

So this is another round of Chel's usual crypt-keeper updates. But the headline points are

(a) Steam Deck controls now work properly again, sorry! - and

(b) an apologetic security update from Unity!

--

I'll talk briefly about the security update, because you've probably seen, like me, a steady flow of updates in your Steam library, and most people are a bit vague about what it entails.

The short version: it's a vulnerability that seems to have been in Unity since 2017, but no one seems to have noticed or used it because it's pretty niche. So you probably dont have much to worry about even in unpatched games.

The long version: I'm not a cybersecurity bloke, but broadly as I understand it, here's how it worked. There were command line flags in any game built with Unity that could be used to tell your game to load arbitrary code, for example:

cultistsimulator.exe -overrideMonoSearchPath "C:\\somefolder\\ransomware.dll"

Of course someone has to (a) get the code on to your machine or a local network path, then (b) convince you to run the relevant command line, which isn't straightforward. But on Windows, it's quite easy to register an application to open any URL in a specified format, like this

steam://getSteamToDoSomeConfigAction

So attacker tricks you into (a) registering "cultist://" as a schema and then (b) gets you to click a link like this

cultist:// -overrideMonoSearchPath "aSimpleHttpURLWouldntWorkButAttackerCouldPotentiallyGetCreativeToMakeYouDownloadAFIle"

Windows tells Cultist to start running and supplies the -overrideMonoSearchPath as a launch parameter. Poor Cultist obediently tries to load the file supplied in the malicious link, maybe it works, and if it does, you're now running their code.

So again, someone still needs to convince you to run an app in the first place to register Cultist as a schema handler, maybe your AV software will flag the download, idk, but the Internet is rife with clever cyber bastards. And it's a bigger deal for a game that actually is registered as a schema handler for genuine reasons.


Either way, it's fixed now, for Cultist and a lot of other games! But there will be unmaintained games out there with the vulnerability forever, so maybe if someone's read this far, I've saved them a visit to the Misery Palace ¯\\_(ツ)_/¯

https://unity.com/security/sept-2025-01/remediation


https://www.kaspersky.com/blog/update-unity-games-cve-2025-59489/54542/

Changed files in this update

Windows Cultist Simulator Windows Depot 718671
  • Loading history…
macOS Shared Install Cultist Simulator OSX Depot 718672
  • Loading history…
Linux Shared Install Cultist Simulator Linux Depot 718673
  • Loading history…
Ad-free Steam data for everyone since 2012
Support SteamDB • Donate or contribute
Open link