Application security, Endpoint/Device Security

Unity flaw allowing arbitrary code execution patched

(Adobe Stock)

Major game and application development platform Unity has addressed a high-severity flaw, tracked as CVE-2025-59489, which could enable arbitrary code execution, SecurityWeek reports.

The vulnerability arises from improper handling of command-line arguments in Unity applications, allowing malicious code to be run under certain conditions. Security researcher RyotaK from GMO Flatt Security reported that the issue, tied to Unity's debugging feature for Android, can be easily exploited locally. Remote exploitation may also be possible if a malicious website forces a browser to download and load a crafted library.

"Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers," Unity noted.

It added that Windows systems face a higher risk due to registered URI handlers. Microsoft said it is identifying and updating potentially affected applications and has added detection rules to Microsoft Defender. Valve also issued a Steam Client update to block games using vulnerable Unity parameters, advising developers to rebuild titles with the latest Unity Editor or apply patched UnityPlayer.dll files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds