A critical vulnerability (CVE-2025-59489) was disclosed in the **Unity engine**, the world’s most widely used game development platform, exposing apps built with affected versions to **arbitrary code execution attacks**. The flaw allows malicious files to hijack permissions granted to Unity-based games, potentially accessing confidential user data on **Android, Windows, Linux, and macOS** devices (excluding iOS, Xbox, PlayStation, or Nintendo Switch). While no exploitation has been observed yet, the risk is severe due to Unity’s massive global footprint, powering billions of devices and popular games like *Pokémon GO*, *Genshin Impact*, and *Call of Duty: Mobile*. Unity released patches, and platforms like **Steam** blocked launches of games using suspicious command-line parameters. Microsoft advised uninstalling vulnerable apps until updates are available. The bug was reported by **RyotaK (GMO Flatt Security)** during Meta’s Bug Bounty Conference. Though no data breaches or user impact occurred, the vulnerability could have enabled **unauthorized data access** within the privileges of the affected application, posing significant risks to end-user confidentiality and system integrity.
Source: https://therecord.media/unity-game-engine-vulnerability-android-windows-linux-macos
TPRM report: https://www.rankiteo.com/company/unity
"id": "uni2392623100625",
"linkid": "unity",
"type": "Vulnerability",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': ['Game developers and end-users '
'of Unity-built applications '
'(billions of Android devices '
'globally)'],
'industry': 'Game Development Tools',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Unity Technologies',
'type': 'Software Company'},
{'customers_affected': 'Users of vulnerable Microsoft '
'apps/games built with Unity',
'industry': 'Software/Gaming',
'location': 'Global (HQ: Redmond, USA)',
'name': 'Microsoft',
'type': 'Technology Corporation'},
{'customers_affected': 'Developers and players of '
'Unity-based games on Steam',
'industry': 'Digital Distribution',
'location': 'Global (HQ: Bellevue, USA)',
'name': 'Valve Corporation (Steam)',
'type': 'Gaming Platform'},
{'industry': 'Mobile Gaming',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Niantic (Pokémon GO)',
'type': 'Game Developer'},
{'industry': 'Mobile/Console Gaming',
'location': 'Global (HQ: Shanghai, China)',
'name': 'miHoYo (Genshin Impact)',
'type': 'Game Developer'},
{'industry': 'Mobile Gaming',
'location': 'Global (HQ: Santa Monica, USA)',
'name': 'Activision (Call of Duty: Mobile)',
'type': 'Game Developer'}],
'attack_vector': ['Malicious File Execution',
'Privilege Escalation (within app context)'],
'customer_advisories': ['Update all Unity-based applications immediately.',
'Temporarily uninstall vulnerable Microsoft '
'apps/games if updates are unavailable.',
'Ensure security software (e.g., Microsoft Defender) '
'is active.'],
'data_breach': {'sensitivity_of_data': ['Medium (dependent on app '
'permissions)'],
'type_of_data_compromised': ['Confidential information '
'accessible to the vulnerable '
'application (scope limited to '
'app permissions)']},
'description': 'A vulnerability (CVE-2025-59489) in the Unity engine exposes '
'apps built with affected versions to arbitrary code execution '
'attacks. Malicious files could hijack permissions granted to '
'Unity-based games, running commands with the app’s privileges '
'on victim devices. The flaw primarily impacts Android, '
'Windows, Linux, and macOS systems but not iOS, Xbox, '
'PlayStation, or Nintendo Switch. Unity has released fixes, '
'and no exploitation has been observed yet. Popular affected '
'games include Pokémon GO, Genshin Impact, and Call of Duty: '
'Mobile.',
'impact': {'brand_reputation_impact': ['Potential reputational risk due to '
'widespread use of Unity in billions '
'of Android devices globally'],
'data_compromised': ['Potential access to confidential information '
'on end-user devices (limited to app '
'permissions)'],
'operational_impact': ['Temporary uninstallation of vulnerable '
'Microsoft apps/games recommended',
'Steam blocking launches of Unity games '
'with malicious command-line parameters'],
'systems_affected': ['Android', 'Windows', 'Linux', 'macOS']},
'investigation_status': 'Ongoing (no evidence of exploitation; patches '
'released)',
'lessons_learned': ['Proactive vulnerability disclosure and patching mitigate '
'risks before exploitation occurs.',
'Collaboration between security researchers (e.g., GMO '
'Flatt Security) and vendors (Unity) enhances response '
'effectiveness.',
'Platforms like Steam and Microsoft can implement '
'protective measures (e.g., blocking malicious '
'parameters) to reduce exposure.'],
'post_incident_analysis': {'corrective_actions': ['Unity released patches to '
'address the vulnerability.',
'Platforms (Steam, '
'Microsoft) implemented '
'mitigations (e.g., '
'blocking malicious '
'parameters).',
'Encouraged community '
'collaboration for future '
'vulnerability reporting.'],
'root_causes': ['Vulnerability in Unity engine '
'allowing arbitrary code execution '
'within app permissions.',
'Lack of input validation for '
'command-line parameters in '
'Unity-built applications.']},
'recommendations': ['Developers should immediately apply Unity’s patches for '
'CVE-2025-59489.',
'End-users should update all Unity-based applications, '
'especially on Android, Windows, Linux, and macOS.',
'Enable security software (e.g., Microsoft Defender) to '
'detect malicious activity.',
'Game platforms should monitor for and block suspicious '
'command-line parameters in Unity games.',
'Organizations should participate in bug bounty programs '
'to identify vulnerabilities early.'],
'references': [{'source': 'Unity Advisory on CVE-2025-59489'},
{'source': 'Microsoft Security Guidance'},
{'source': 'Steam Notice for Unity Developers'},
{'source': 'GMO Flatt Security Statement'},
{'source': 'Meta Bug Bounty Researcher Conference (June '
'2025)'}],
'response': {'communication_strategy': ['Public advisory by Unity',
'Statements from Microsoft and Steam',
'Acknowledgment by GMO Flatt '
'Security'],
'containment_measures': ['Unity released patches for affected '
'versions',
'Microsoft recommended uninstalling '
'vulnerable apps/games until updates '
'are available',
'Steam blocked launches of Unity games '
'with malicious command-line '
'parameters'],
'incident_response_plan_activated': True,
'remediation_measures': ['Unity provided fixes to all developers',
'Encouraged users to update '
'games/applications and ensure '
'Microsoft Defender is running'],
'third_party_assistance': ['GMO Flatt Security (vulnerability '
'reporter)']},
'stakeholder_advisories': ['Unity’s public advisory and developer '
'notifications',
'Microsoft’s user guidance for vulnerable apps',
'Steam’s developer notice'],
'title': 'Critical Arbitrary Code Execution Vulnerability in Unity Engine '
'(CVE-2025-59489)',
'type': ['Vulnerability Disclosure',
'Arbitrary Code Execution (ACE)',
'Information Disclosure'],
'vulnerability_exploited': 'CVE-2025-59489 (Unity Engine Arbitrary Code '
'Execution)'}