A high-severity vulnerability within the common gaming and software editor Unity can permit attackers to load arbitrary libraries and obtain code execution.
Tracked as CVE-2025-59489 (CVSS rating of 8.4), the safety defect resides in command-line arguments via which Unity may load and execute arbitrary code.
In keeping with safety engineer RyotaK from GMO Flatt Safety, the problem is said to Unity’s assist for software debugging and is easy to use domestically.
“To assist debugging Unity functions on Android units, Unity routinely provides a handler for the intent containing the unity further to the UnityPlayerActivity. This exercise serves because the default entry level for functions and is exported to different functions,” RyotaK says.
As a result of the additional is handed as a command-line argument to Unity and any software can ship the additional to a Unity software, an attacker may management the command-line arguments which are handed to a Unity software.
An attacker may construct a malicious software that will extract the native library containing malicious code, after which launch the Unity software with a selected argument pointing to the malicious library, thus reaching code execution.
In keeping with the safety engineer, distant exploitation of the bug is doubtlessly doable if a malicious web site can pressure the browser to obtain a selected library and cargo it with a given argument.
Unity addressed the vulnerability with the discharge of the Unity Editor variations 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2. It additionally pushed the fixes to discontinued variations right down to 2019.1.Commercial. Scroll to proceed studying.
In keeping with Unity, profitable exploitation of the problem may permit an attacker to execute arbitrary code remotely and entry data on the units working functions constructed utilizing Unity.
“Code execution could be confined to the privilege degree of the weak software, and knowledge disclosure could be confined to the data obtainable to the weak software. There isn’t any proof of any exploitation of the vulnerability nor has there been any influence on customers or clients,” Unity notes.
Nevertheless, it additionally warns that the danger of exploitation on Home windows units is greater, as a consequence of “the presence of a registered customized URI handler for a weak software or handler title”.
“If a customized URI scheme is current and may be invoked on the goal system, an attacker who could cause that URI to be opened may set off the weak library-loading conduct without having direct command-line entry. Potential exploitation stays constrained to the privileges of the focused software and to the info and providers accessible to that course of,” the seller notes.
Unity has printed suggestions for builders, warning that each one functions constructed utilizing Unity 2017.1 and later for Android, Home windows, macOS, and Linux are impacted. The corporate has urged builders to replace the editor to the newest model after which rebuild and redeploy their functions.
Microsoft says it’s engaged on figuring out doubtlessly affected functions and video games to replace them, and that it has added exploitation detection guidelines to Microsoft Defender.
“You could be utilizing a Microsoft app or taking part in a Microsoft sport that needs to be uninstalled till an replace is on the market. We’re working to replace video games and functions which are doubtlessly affected by this Unity vulnerability,” the tech big informed customers.
Valve launched a brand new Steam Shopper replace which blocks the launching of video games that comprise within the launch request one of many 4 command-line parameters that Unity associates with the flaw. Builders ought to replace their video games utilizing the Steamworks SDK or the Steamworks web site and submit the replace to Steam.
“Unity has supplied two paths to replace video games affected by this situation. In case your sport is below energetic improvement, you should utilize a brand new model of the Unity Editor to rebuild your sport. For builders which are unable to rebuild their sport, Unity has launched patched variations of the UnityPlayer.dll runtime file that may be dropped into current sport folders,” Valve notes.
Associated: Unauthenticated RCE Flaw Patched in DrayTek Routers
Associated: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Associated: Organizations Warned of Exploited Meteobridge Vulnerability
Associated: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues
