Ddos 
A serious vulnerability in the Unity Runtime, tracked as CVE-2025-59489 (CVSS 8.4), has been discovered by security researcher RyotaK (@ryotkak) from GMO Flatt Security Inc., potentially exposing millions of Android and cross-platform games built with the popular Unity engine to local file inclusion and code execution attacks.
According to Unity’s official advisory, “Applications that were built using affected versions of the Unity Editor are susceptible to an unsafe file loading and local file inclusion attack depending on the operating system, which could enable local code execution or information disclosure at the privilege level of the vulnerable application.”
Unity confirmed there is no evidence of exploitation in the wild, but given the engine’s ubiquity across mobile, console, and desktop platforms, the potential impact is significant.
In a detailed technical write-up, RyotaK explains that the vulnerability stems from the intent handling process in the Unity Runtime for Android. The engine automatically adds a handler for the unity intent extra in the UnityPlayerActivity, which serves as the default entry point for most Unity-built Android applications.
This handler, designed for debugging purposes, parses the unity extra as command-line arguments, allowing developers to pass parameters via the Android Debug Bridge (ADB). Unfortunately, this also opened a dangerous door for attackers.
As RyotaK notes, “This means any application can send the unity extra to a Unity application, allowing attackers to control the command line arguments passed to that application.”
By injecting malicious arguments such as -xrsdk-pre-init-library, attackers can force Unity apps to load arbitrary shared libraries (.so files) via the dlopen() function. This effectively lets them execute code with the same permissions as the target application, including access to sensitive data or device features.
The simplest attack scenario involves another malicious app installed on the same device. RyotaK demonstrated how a low-privileged Android app can exploit this flaw by:
- Including a malicious shared library (.so) within its APK.
- Sending an intent to the Unity app’s activity with the argument -xrsdk-pre-init-library /data/local/tmp/malicious.so.
- Triggering the Unity app to load and execute the malicious code under its own process permissions.
This type of privilege hijacking allows the malicious app to inherit permissions of popular Unity-based games or applications, potentially accessing data such as GPS location, camera feeds, or in-app user credentials.
Under specific conditions, RyotaK also identified that the vulnerability could be exploited remotely, particularly through browsers on Android.
He explains: “If an application exports UnityPlayerActivity or UnityPlayerGameActivity with the android.intent.category.BROWSABLE category (allowing browser launches), websites can specify extras passed to the activity using intent URLs.”
For example, a malicious website could craft a link like:
In theory, visiting this link could trigger the exploit automatically—turning it into a one-click remote code execution (RCE).
However, Android’s SELinux security model provides an important safeguard. As RyotaK notes, “Android’s strict SELinux policy prevents dlopen from opening files in the downloads directory, which mitigates almost all remote exploitation scenarios.”
Still, if an app writes attacker-controlled files into its private storage—such as cached web content—this protection can be bypassed, allowing a remote exploit under the right conditions.
Unity’s security advisory lists multiple affected platforms, all potentially vulnerable to privilege escalation or code execution:
| Platform | Impact | Severity |
|---|---|---|
| Android | Code Execution / Privilege Escalation | High |
| Windows | Elevation of Privilege | High |
| macOS | Elevation of Privilege | High |
| Linux (Desktop & Embedded) | Elevation of Privilege | High |
On Windows, the issue can also be triggered if a custom URI handler is registered for a Unity application, potentially enabling exploitation via malicious links. Unity warns: “If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access.”
Unity has released patches for all supported and many out-of-support versions of the Unity Editor—from 2019.1 onward—to eliminate the unsafe file loading behavior.
Patched versions include:
- 6000.0.58f2 (LTS)
- 2022.3.67f2 (xLTS)
- 2021.3.56f2 (xLTS)
- 2020.3.49f1
- 2019.4.41f1
Unity states: “We have extended fixes to out of support versions of the Unity Editor to include Unity 2019.1 and newer.”
Security engineer RyotaK strongly recommends developers act immediately: “Developers are strongly encouraged to download the updated versions of Unity, recompile their games and applications, and republish to ensure their projects remain secure.”
Unity has also provided a Binary Patch tool for legacy projects that cannot easily be rebuilt, enabling developers to apply the fix without full recompilation.
Donate