Full Report
An advisory from Unity — which makes the software behind dozens of popular games — warns developers to patch a vulnerability that could allow an attacker to execute code via an affected app.
Analysis Summary
# Vulnerability: Arbitrary Code Execution in Unity Game Engine
## CVE Details
- CVE ID: CVE-2025-59489
- CVSS Score: Not specified (Severity noted as "urgent need to update")
- CWE: Not specified
## Affected Systems
- Products: Unity game engine (used to build applications)
- Versions: Affected versions of Unity (specific versions not listed, but fixes are available)
- Configurations: Android, Windows, Linux, and macOS systems running Unity-built applications. Not exploitable on iOS, Xbox, PlayStation, or Nintendo Switch.
## Vulnerability Description
The vulnerability is a bug in the Unity game engine that exposes applications built with affected versions to arbitrary code execution. A malicious file could hijack permissions granted to the Unity game and execute commands with the application's privileges on the victim's device. This could lead to access to confidential information accessible by the vulnerable application.
## Exploitation
- Status: Not exploited (Unity stated "There is no evidence of any exploitation of the vulnerability")
- Complexity: Implied to be significant given the platform's reach, but technical complexity level (low/medium/high) is not specified.
- Attack Vector: Implied network/local execution via a malicious game file/payload.
## Impact
- Confidentiality: Potential exposure of "confidential information on end user devices," confined to the information available to the vulnerable application.
- Integrity: Arbitrary code execution, confined to the privilege level of the vulnerable application.
- Availability: Not explicitly stated, but code execution can impact application stability.
## Remediation
### Patches
- Unity has provided fixes that address the vulnerability and they are "already available to all developers." (Specific patch version numbers are not listed in the text).
### Workarounds
- **Microsoft Warning:** Users should temporarily uninstall vulnerable Microsoft apps/games until an update is available, or ensure games/applications are up to date and Microsoft Defender is running.
- **Steam Action:** Steam announced it would be blocking attempts to launch Unity games that include "any of the four command line parameters listed in the Unity report" that could potentially be malicious.
## Detection
- **Indicators of Compromise:** Not explicitly detailed, but successful exploitation would involve unexpected command execution within the context of the game application.
- **Detection methods and tools:** Users are advised to ensure games/applications are updated.
## References
- Unity Advisory: hxxps://unity.com/security/sept-2025-01
- NVD Link (CVE): hxxps://nvd.nist.gov/vuln/detail/CVE-2025-59489
- Microsoft MSRC: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59489
- Steam Notice: hxxps://steamcommunity.com/groups/steamworks/announcements/detail/524229329545071275
- Researcher Disclosure (GMO Flatt Security): hxxps://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/