Unity Engine Flaw Permits Code Execution on Android and Escalation on Windows

A Unity runtime flaw (CVE-2025-59489) allows malicious apps or inputs to load attacker libraries, enabling code execution on Android and privilege escalation on Windows; developers must patch.
Unity Engine Flaw Permits Code Execution on Android and Escalation on Windows
Table of Contents
    Add a header to begin generating the table of contents

    A critical vulnerability in the Unity game engine can be exploited to achieve arbitrary code execution on Android devices and privilege escalation on Windows, Unity maintainers and platform operators warned. The flaw affects the Unity Runtime and stems from unsafe handling of input that can allow malicious libraries to be loaded into Unity-built applications.

    Valve and Microsoft moved to protect users by issuing platform-level guidance and temporary mitigations while Unity released runtime fixes and urged developers to rebuild affected titles. Unity also advised developers to update the Editor, recompile their applications, or replace runtime binaries with patched versions to mitigate exploitation risk.

    “Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application,” Unity said in its security bulletin.

    The vulnerability, tracked as CVE-2025-59489, enables unsafe file loading and local file inclusion. Exploitation on Android is achieved through the platform’s Intent mechanism: a malicious app installed on the same device as a vulnerable Unity game can supply a crafted native library that the game will load, allowing the attacker to execute code with the game’s privileges. On desktop platforms, command-line arguments and library search path manipulation provide alternative input paths that can be abused to achieve similar effects.

    Impact on Popular Games and Distribution Platforms

    Platform operators warned that many consumer titles and widely used games built with affected Unity versions are at risk until developers redeploy patched builds. Microsoft advised users to uninstall vulnerable games until developers publish updates addressing CVE-2025-59489. Valve released a client update that blocks the launching of unsafe custom URI schemes via its distribution platform and advised publishers to rebuild games using patched Unity releases or to replace the UnityPlayer runtime file in existing builds.

    Affected titles named by platform advisories include a mix of mobile and PC releases. The vulnerability’s presence in Unity versions dating back to 2017.1 expanded the pool of potentially impacted applications to include many mobile games and indie or mid-tier desktop titles that have not been recompiled on current engine branches.

    “Any malicious app installed on the same device as a vulnerable game can load and execute an attacker-supplied native library,” the researcher who disclosed the issue explained in a technical presentation.

    Unity issued fixes in supported branches and extended patches to some out-of-support versions beginning with the 2019.1 branch. The engine vendor also warned that older, unsupported engine releases will not receive patches and recommended developers using those releases migrate to a patched supported branch.

    Platform operators emphasized user caution while vendor and developer remediation proceeds. Microsoft specifically recommended removing vulnerable applications from Windows systems until patched updates are available, citing the risk of local privilege escalation on desktop deployments.

    Technical Root Cause and Developer Remediation Steps

    Security researchers traced the root cause to Unity’s handling of the -xrsdk-pre-init-library command-line argument and related library-loading logic, which lacked sufficient validation and sanitization. On Android, unvalidated interaction with Intents allowed external apps to inject library paths; on desktop systems, untrusted input could influence library search paths or command-line parameters if the application accepted or relayed those inputs.

    Successful exploitation requires conditions where an attacker can supply crafted input to a running Unity application. On mobile devices, this typically means a malicious app must already be installed on the same device. On desktop systems, exploitation vectors include manipulated shortcuts, launcher scripts, or other local mechanisms that can pass untrusted arguments to the target application.

    Unity’s remediation guidance for developers includes the following steps: update the Unity Editor to the latest recommended branch, rebuild and redeploy applications, or replace the Unity runtime binaries in distributed builds with patched versions. Where immediate recompilation is not feasible, applications should be hardened by removing or restricting support for unsafe command-line arguments, validating any inputs that influence library loading paths, and applying platform-specific mitigations such as blocking untrusted URI schemes or restricting inter-application intents.

    Administrators and developers were also advised to audit distribution artifacts and deployment pipelines for instances where legacy runtime libraries might persist, and to scan for third-party dependencies that could expose vulnerable Unity runtime binaries within installers or bundled packages.

    “Unity’s handling of Android Intents allows any malicious app installed on the same device as the vulnerable game to load and execute an attacker-supplied native library,” the vulnerability analysis stated.

    Unity reported no evidence of active exploitation at the time of its bulletin, but platform vendors and security teams urged rapid remediation due to the widespread deployment of Unity across mobile and desktop ecosystems and the relatively trivial exploitation path on devices where a malicious app could already be present.

    Industry response has included temporary distribution controls by storefront operators, direct advisories to developers, and guidance for end users to uninstall unpatched titles when possible. Developers are expected to prioritize updates for high-profile and high-installation games, and to communicate patch availability to players through release notes and platform update channels.

    Because the vulnerability can expose systems to both code execution and information disclosure depending on the application’s privileges, organizations using Unity for non-gaming real-time applications were also urged to treat the issue as a priority for remediation.

    Unity’s release notes and security bulletin provide technical indicators and the list of patched versions; developers are responsible for rebuilding and redeploying affected applications or applying the provided runtime replacements to mitigate the vulnerability for end users.

    Related Posts