A high-severity vulnerability in the popular gaming and application editor Unity can allow attackers to load arbitrary libraries and achieve code execution.
Tracked as CVE-2025-59489 (CVSS score of 8.4), the security defect resides in command-line arguments through which Unity could load and execute arbitrary code.
According to security engineer RyotaK from GMO Flatt Security, the issue is related to Unity’s support for application debugging and is straightforward to exploit locally.
“To support debugging Unity applications on Android devices, Unity automatically adds a handler for the intent containing the unity extra to the UnityPlayerActivity. This activity serves as the default entry point for applications and is exported to other applications,” RyotaK says.
Because the extra is passed as a command-line argument to Unity and any application can send the extra to a Unity application, an attacker could control the command-line arguments that are passed to a Unity application.
An attacker could build a malicious application that would extract the native library containing malicious code, and then launch the Unity application with a specific argument pointing to the malicious library, thus achieving code execution.
According to the security engineer, remote exploitation of the bug is potentially possible if a malicious website can force the browser to download a specific library and load it with a given argument.
Unity addressed the vulnerability with the release of the Unity Editor versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2. It also pushed the fixes to discontinued versions down to 2019.1.
According to Unity, successful exploitation of the issue could allow an attacker to execute arbitrary code remotely and access information on the devices running applications built using Unity.
“Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers,” Unity notes.
However, it also warns that the risk of exploitation on Windows devices is higher, due to “the presence of a registered custom URI handler for a vulnerable application or handler name”.
“If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process,” the vendor notes.
Unity has published recommendations for developers, warning that all applications built using Unity 2017.1 and later for Android, Windows, macOS, and Linux are impacted. The company has urged developers to update the editor to the latest version and then rebuild and redeploy their applications.
Microsoft says it is working on identifying potentially affected applications and games to update them, and that it has added exploitation detection rules to Microsoft Defender.
“You may be using a Microsoft app or playing a Microsoft game that should be uninstalled until an update is available. We are working to update games and applications that are potentially affected by this Unity vulnerability,” the tech giant told users.
Valve released a new Steam Client update which blocks the launching of games that contain in the launch request one of the four command-line parameters that Unity associates with the flaw. Developers should update their games using the Steamworks SDK or the Steamworks website and submit the update to Steam.
“Unity has provided two paths to update games affected by this issue. If your game is under active development, you can use a new version of the Unity Editor to rebuild your game. For developers that are unable to rebuild their game, Unity has released patched versions of the UnityPlayer.dll runtime file that can be dropped into existing game folders,” Valve notes.
Related: Unauthenticated RCE Flaw Patched in DrayTek Routers
Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Related: Organizations Warned of Exploited Meteobridge Vulnerability
Related: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues
Source link
