CVE-2025-59489

Name of the Vulnerable Software and Affected Versions Unity versions 2017.1 through 6000.3

Description A critical vulnerability exists in the Unity Runtime, potentially allowing attackers to execute arbitrary code on systems running applications built with affected versions of the engine. This vulnerability, identified as CVE-2025-59489, stems from an untrusted search path issue, enabling the loading of malicious code through crafted command-line arguments. While primarily a local code execution risk, remote exploitation is possible under specific conditions on Android. No known exploits have been reported to date. The vulnerability affects applications built with Unity versions 2017.1 and later for Windows, Android, macOS, and Linux. Microsoft and Valve have implemented mitigations, and Unity has released patches and a binary patching tool.

Recommendations Update to the latest patched Unity Editor and rebuild applications to address the vulnerability. If rebuilding is not feasible, utilize the Unity binary patching tool, but note that it may not be compatible with applications employing anti-cheat or tamper protection. Ensure automatic updates are enabled for games and applications.