The vulnerability identified as CVE-2025-59489 in the Unity game and application development platform allows attackers to achieve local code execution by exploiting how Unity handles command-line arguments related to debugging features. Unity applications automatically register a handler for intents containing specific extras (e.g., unity extra) in UnityPlayerActivity, which is exported and accessible by other applications. Attackers can craft malicious applications that extract and load arbitrary native libraries by manipulating these command-line arguments, resulting in execution of arbitrary code within the vulnerable app's privilege scope. On Windows, the presence of registered custom URI handlers for Unity applications increases the attack surface, enabling attackers to trigger the vulnerability without direct command-line access by invoking these URIs. Remote exploitation is theoretically possible if a malicious website can coerce a browser to download and load a malicious library with a crafted argument. Unity has addressed the vulnerability by releasing patched versions of the Unity Editor (including versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2) and runtime DLLs for older versions down to 2019.1. Microsoft is actively identifying and updating affected applications and has integrated detection rules into Microsoft Defender. Valve has updated the Steam client to block games launched with vulnerable command-line parameters and advises developers to update their games via the Steamworks SDK. The vulnerability impacts all Unity-built applications from version 2017.1 onwards across Android, Windows, macOS, and Linux platforms. While exploitation is confined to the privileges of the targeted application and the data it can access, successful attacks could lead to unauthorized code execution and information disclosure. No known exploits have been reported in the wild to date.

European organizations using Unity-built applications, particularly in the gaming industry, software development, and any sector deploying Unity-based tools, face risks of local or potentially remote code execution. This could lead to unauthorized access to sensitive information processed or stored by these applications, compromising confidentiality and integrity. The vulnerability could be exploited to execute malicious code with the same privileges as the Unity application, potentially enabling lateral movement or further compromise if the application has elevated permissions or access to critical data. Windows users are at higher risk due to custom URI handlers facilitating easier exploitation. The impact extends to end-users and enterprises relying on Unity-built software, potentially affecting business continuity, user trust, and data protection compliance. Given the widespread use of Unity in Europe’s robust gaming and software markets, unpatched applications could become vectors for targeted attacks or malware delivery. Although no active exploitation is reported, the ease of local exploitation and potential for remote attack via browsers necessitates urgent mitigation to prevent future incidents.

European organizations should immediately identify all Unity-built applications in their environment, including games and enterprise software, and verify their Unity Editor versions and runtime DLLs. Developers must update to the latest patched Unity Editor versions and rebuild applications to incorporate fixes. For applications no longer under active development, Unity’s patched UnityPlayer.dll runtime files should be deployed to replace vulnerable libraries without full rebuilds. Organizations should coordinate with software vendors and game developers to ensure timely updates are applied. Microsoft Defender users should ensure their endpoint protection is up to date to benefit from added detection rules. Steam users should update their Steam clients and encourage developers to submit patched game versions via Steamworks. Additionally, organizations should audit and restrict the use of custom URI handlers associated with Unity applications on Windows systems to reduce attack surface. Network-level controls should monitor and block suspicious command-line parameters or unusual library loading behaviors. Security teams should educate users about the risks of installing untrusted applications that could exploit this vulnerability. Finally, continuous monitoring for unusual process launches or library loads related to Unity applications is recommended to detect potential exploitation attempts.