CVE-2025-59489

Name of the Vulnerable Software and Affected Versions Unity versions 2017.1 through 6000.3

Description A critical vulnerability exists in the Unity Runtime, potentially allowing attackers to execute arbitrary code on systems running applications built with affected versions of the engine. This vulnerability, identified as CVE-2025-59489, stems from an untrusted search path issue, enabling the loading of malicious libraries through crafted command-line arguments. While primarily a local code execution risk, remote exploitation is possible under specific conditions on Android. No known exploits have been reported to date. The vulnerability affects applications built for Android, Windows, macOS, and Linux. Microsoft and Valve have implemented mitigations, and Unity has released patches and a binary patching tool for developers. Approximately 70% of mobile games are estimated to be potentially affected.

Recommendations Update to the latest patched version of the Unity Editor and rebuild all affected applications. If rebuilding is not feasible, utilize the Unity Application Patcher to address the vulnerability in existing builds, noting that this may conflict with anti-cheat or tamper protection mechanisms. For applications with anti-cheat or tamper protection, rebuilding is required. Ensure automatic updates are enabled for games and applications.