CVE-2025-59489

Name of the Vulnerable Software and Affected Versions Unity versions 2017.1 through 6000.3

Description A critical vulnerability exists in the Unity Runtime, affecting applications built with Unity Editor versions 2017.1 and later for Android, Windows, macOS, and Linux. The vulnerability (CVE-2025-59489) allows for arbitrary code execution through argument injection, potentially enabling an attacker to load malicious code from an unintended location. This could allow an adversary to execute code on the machine running the affected application and potentially exfiltrate confidential information. While no active exploitation has been reported, the vulnerability has existed for approximately eight years. The risk is higher on platforms where the application has extensive permissions. The vulnerability is mitigated on iOS, Xbox, and Meta Horizon OS. Microsoft Defender and Steam have implemented protections.

Recommendations Update to the latest patched version of the Unity Editor and rebuild all affected applications. If rebuilding is not feasible, use the Unity Application Patcher to patch existing builds. If anti-cheat or tamper protection is enabled, rebuilding is required. Ensure automatic updates are enabled for games and applications.