Unity Real-Time Development Platform Vulnerability Let Attackers Execute Arbitrary Code
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Unity Technologies has issued a critical security advisory warning developers about a high-severity vulnerability affecting its widely used game development platform<\/a>.\u00a0<\/p>\n The flaw, designated CVE-2025-59489, exposes applications built with vulnerable Unity Editor versions to unsafe file loading attacks that could enable local code execution and privilege escalation<\/a> across multiple operating systems.<\/p>\n The vulnerability stems from an untrusted search path weakness (CWE-426) that allows attackers to exploit unsafe file loading mechanisms within Unity-built applications.\u00a0<\/p>\n With a CVSS score of 8.4, this security issue affects virtually all Unity Editor versions from 2017.1 through current releases, potentially impacting millions of deployed games and applications worldwide.<\/p>\n The vulnerability manifests differently across operating systems, with Android applications facing the highest risk as they are susceptible to both code execution and elevation of privilege attacks.\u00a0<\/p>\n Windows, Linux Desktop, Linux Embedded, and macOS platforms<\/a> experience elevation of privilege risks, allowing attackers to gain unauthorized access at the application\u2019s privilege level.<\/p>\n Security researchers at GMO Flatt Security Inc. discovered the flaw on June 4, 2025, through responsible disclosure practices.\u00a0<\/p>\n The vulnerability exploits local file inclusion mechanisms, enabling attackers to execute arbitrary code confined to the vulnerable application\u2019s privilege level while potentially accessing confidential information available to that process.<\/p>\n On Windows systems, the threat landscape becomes more complex when custom URI handlers are registered for Unity applications.\u00a0<\/p>\n Attackers who can trigger these URI schemes may exploit the vulnerable library-loading behavior without requiring direct command-line access, significantly expanding the attack surface.<\/p>\n Unity has released patches for all supported versions and extended fixes to legacy versions dating back to Unity 2019.1.\u00a0<\/p>\n The company provides two primary remediation approaches: rebuilding applications with updated Unity Editor versions or applying binary patches using Unity\u2019s specialized patch tool for deployed applications.<\/p>\n Current supported versions, including 6000.3, 6000.2, 6000.0 LTS, 2022.3 xLTS, and 2021.3 xLTS, have received immediate patches.<\/p>\n Legacy versions spanning from 2019.1 through 2023.2 also received security updates, though versions 2017.1 through 2018.4 remain unpatched and should be upgraded immediately.<\/p>\n The vulnerability vector string CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H indicates local attack vectors with low complexity requirements and no user interaction needed, making exploitation relatively straightforward for attackers with local system access.\u00a0<\/p>\n Unity emphasizes that no evidence of active exploitation has been detected, and no customer impact has been reported to date.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Unity Real-Time Development Platform Vulnerability Let Attackers Execute Arbitrary Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nLocal File Inclusion Vulnerability<\/strong><\/h2>\n
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n Unity Editor versions 2017.1+ and applications built with these versions across Android, Windows, Linux, and macOS<\/td>\n<\/tr>\n \n Impact<\/td>\n Local code execution, privilege escalation, information disclosure<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n Local system access, vulnerable Unity-built application present on target system<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 8.4 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigations<\/strong><\/h2>\n