A high-severity vulnerability within the common gaming and software editor Unity can permit attackers to load arbitrary libraries and obtain code execution.
Tracked as CVE-2025-59489 (CVSS rating of 8.4), the security defect resides in command-line arguments by which Unity may load and execute arbitrary code.
In line with security engineer RyotaK from GMO Flatt Safety, the difficulty is expounded to Unity’s assist for software debugging and is simple to use domestically.
“To assist debugging Unity functions on Android gadgets, Unity mechanically provides a handler for the intent containing the unity further to the UnityPlayerActivity. This exercise serves because the default entry level for functions and is exported to different functions,” RyotaK says.
As a result of the additional is handed as a command-line argument to Unity and any software can ship the additional to a Unity software, an attacker may management the command-line arguments which might be handed to a Unity software.
An attacker may construct a malicious software that may extract the native library containing malicious code, after which launch the Unity software with a particular argument pointing to the malicious library, thus reaching code execution.
In line with the security engineer, distant exploitation of the bug is doubtlessly potential if a malicious web site can pressure the browser to obtain a particular library and cargo it with a given argument.
Unity addressed the vulnerability with the discharge of the Unity Editor variations 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2. It additionally pushed the fixes to discontinued variations all the way down to 2019.1.
In line with Unity, profitable exploitation of the difficulty may permit an attacker to execute arbitrary code remotely and entry data on the gadgets working functions constructed utilizing Unity.
“Code execution can be confined to the privilege stage of the susceptible software, and knowledge disclosure can be confined to the data accessible to the susceptible software. There isn’t any proof of any exploitation of the vulnerability nor has there been any affect on customers or clients,” Unity notes.
Nevertheless, it additionally warns that the danger of exploitation on Home windows gadgets is greater, as a consequence of “the presence of a registered customized URI handler for a susceptible software or handler title”.
“If a customized URI scheme is current and might be invoked on the goal system, an attacker who could cause that URI to be opened may set off the susceptible library-loading habits without having direct command-line entry. Potential exploitation stays constrained to the privileges of the focused software and to the info and companies accessible to that course of,” the seller notes.
Unity has revealed suggestions for builders, warning that every one functions constructed utilizing Unity 2017.1 and later for Android, Home windows, macOS, and Linux are impacted. The corporate has urged builders to replace the editor to the newest model after which rebuild and redeploy their functions.
Microsoft says it’s engaged on figuring out doubtlessly affected functions and video games to replace them, and that it has added exploitation detection guidelines to Microsoft Defender.
“You could be utilizing a Microsoft app or taking part in a Microsoft sport that must be uninstalled till an replace is obtainable. We’re working to replace video games and functions which might be doubtlessly affected by this Unity vulnerability,” the tech big informed customers.
Valve launched a brand new Steam Shopper replace which blocks the launching of video games that include within the launch request one of many 4 command-line parameters that Unity associates with the flaw. Builders ought to replace their video games utilizing the Steamworks SDK or the Steamworks web site and submit the replace to Steam.
“Unity has offered two paths to replace video games affected by this subject. In case your sport is underneath energetic growth, you should utilize a brand new model of the Unity Editor to rebuild your sport. For builders which might be unable to rebuild their sport, Unity has launched patched variations of the UnityPlayer.dll runtime file that may be dropped into current sport folders,” Valve notes.
