Unity Applied sciences has issued a vital safety advisory warning builders a few high-severity vulnerability affecting its broadly used recreation growth platform.
The flaw, designated CVE-2025-59489, exposes functions constructed with susceptible Unity Editor variations to unsafe file loading assaults that would allow native code execution and privilege escalation throughout a number of working programs.
The vulnerability stems from an untrusted search path weak point (CWE-426) that permits attackers to use unsafe file loading mechanisms inside Unity-built functions.
With a CVSS rating of 8.4, this safety concern impacts just about all Unity Editor variations from 2017.1 by present releases, probably impacting hundreds of thousands of deployed video games and functions worldwide.
Native File Inclusion Vulnerability
The vulnerability manifests in a different way throughout working programs, with Android functions dealing with the best danger as they’re prone to each code execution and elevation of privilege assaults.
Home windows, Linux Desktop, Linux Embedded, and macOS platforms expertise elevation of privilege dangers, permitting attackers to realize unauthorized entry on the utility’s privilege stage.
Safety researchers at GMO Flatt Safety Inc. found the flaw on June 4, 2025, by accountable disclosure practices.
The vulnerability exploits native file inclusion mechanisms, enabling attackers to execute arbitrary code confined to the susceptible utility’s privilege stage whereas probably accessing confidential info obtainable to that course of.
On Home windows programs, the menace panorama turns into extra advanced when customized URI handlers are registered for Unity functions.
Attackers who can set off these URI schemes might exploit the susceptible library-loading habits with out requiring direct command-line entry, considerably increasing the assault floor.
Threat FactorsDetailsAffected ProductsUnity Editor variations 2017.1+ and functions constructed with these variations throughout Android, Home windows, Linux, and macOSImpactLocal code execution, privilege escalation, info disclosureExploit PrerequisitesLocal system entry, susceptible Unity-built utility current on the right track systemCVSS 3.1 Score8.4 (Excessive)
Mitigations
Unity has launched patches for all supported variations and prolonged fixes to legacy variations courting again to Unity 2019.1.
The corporate gives two main remediation approaches: rebuilding functions with up to date Unity Editor variations or making use of binary patches utilizing Unity’s specialised patch software for deployed functions.
Present supported variations, together with 6000.3, 6000.2, 6000.0 LTS, 2022.3 xLTS, and 2021.3 xLTS, have acquired quick patches.
Legacy variations spanning from 2019.1 by 2023.2 additionally acquired safety updates, although variations 2017.1 by 2018.4 stay unpatched and must be upgraded instantly.
The vulnerability vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signifies native assault vectors with low complexity necessities and no consumer interplay wanted, making exploitation comparatively easy for attackers with native system entry.
Unity emphasizes that no proof of energetic exploitation has been detected, and no buyer influence has been reported up to now.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
