Full Report
A code execution vulnerability in the Unity game engine could be exploited to achieve code execution on Android and privilege escalation on Windows. [...]
Analysis Summary
# Vulnerability: Unity Runtime Code Execution and Information Disclosure
## CVE Details
- CVE ID: CVE-2025-59489
- CVSS Score: Not explicitly listed, but described as potentially leading to Code Execution and Information Disclosure.
- CWE: Not explicitly listed, but related to unsafe file loading/command argument handling.
## Affected Systems
- Products: Unity Game Engine (Runtime component)
- Versions: All games built on Unity versions starting from 2017.1.
- Configurations: Affects games deployed on Android (via Intents/URI schemes) and applicable to Windows, macOS, and Linux platforms due to shared root cause.
## Vulnerability Description
The vulnerability lies within the Unity Runtime component's handling of command-line arguments, specifically the `_-xrsdk-pre-init-library_` argument, which lacks proper validation or sanitization. This flaw permits unsafe file loading and local file inclusion.
On Android, this allows any malicious application installed on the same device to leverage vulnerable games to load and execute an attacker-supplied native library, resulting in **Arbitrary Code Execution** confined to the privileges of the target game. On other platforms (Windows, macOS, Linux), manipulation of input paths or library search paths can be leveraged for exploitation.
## Exploitation
- Status: No active exploitation observed as of the bulletin publication date (October 2nd).
- Complexity: Implied to be achievable via local application interaction (Android) or path manipulation (desktop OSes).
- Attack Vector: Likely Local (due to requiring interaction between apps on Android or file system access).
## Impact
- Confidentiality: Information disclosure possible, confined to the information accessible by the vulnerable application.
- Integrity: Arbitrary Code Execution possible, confined to the privilege level of the vulnerable application.
- Availability: Potential for service disruption due to code execution.
## Remediation
### Patches
- **Developers:** Update the Unity Editor to the newest version, then recompile and redeploy the affected games/applications.
- **Developers (Existing Builds):** Plug a patched version of the `UnityPlayer.dll` file directly into existing builds (where applicable).
- **Supported Versions:** Fixes are available for Unity Editor versions 2019.1 and later.
### Workarounds
- **End Users (Microsoft Recommendation):** Uninstall vulnerable games until new versions addressing CVE-2025-59489 become available.
- **Steam:** Steam distributed client updates block the launching of custom URI schemes to mitigate exploitation risk via the platform.
## Detection
- **Indicators of Compromise (IoCs):** Presence of unusual native library loading attempts or execution originating from a Unity-based application process outside of normal operations.
- **Detection Methods and Tools:** Focus on monitoring process execution originating from Unity applications for abnormal behavior, especially cross-application library loading behaviors (though specific detection signatures were not provided).
## References
- Vendor Advisory (Unity): hxxps://unity.com/security/sept-2025-01
- Microsoft Bulletin: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59489
- Steam Announcement: hxxps://steamcommunity.com/groups/steamworks/announcements/detail/524229329545071275
- Researcher Writeup: hxxp://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/