A code execution vulnerability in unity game engine can be exploited to achieve code execution on Android and privilege increase on Windows.
Unity is a cross-platform game engine and development platform that offers rendering, physics, animation and scripting tools for developers, which is to create the title for Windows, McOS, Android, iOS, console and web.
A large number of mobile games are made with unity as well as Indie and mid-tier PC/console title. The platform is also used in non-gaming industries for non-time 3D applications.
Warns the valve and microsoft users
In response to the risk, Steam has taken action by issuing one New customer update This blocks the launch of custom URI schemes to prevent exploitation through its distribution forum.
At the same time, the valve recommended that the publishers rebuild their game using a safe unity version, or plug a patched version of the ‘Unityplayer.Dll’ file in their current build.
Microsoft is also Published a bulletin To warn about the issue, users are uninstalling to recommend uninstalling the unprotected game until new versions addressing new versions are uninstall.
The company said the popular game titles are weak, including HarthStone, The Elder Scroll: Blads, Fallout Shelter, Doom (2019), Burren Bhoomi 3 and Forza Customs.
Unity developers advise the developers to update the editor in the latest version branch and then prepare and re -prepare their games or applications.
Patch extended to some inability versions
The vulnerability is tracked Cve-2025-59489 And the runtime affects the component. This allows unprotected file loading and local file inclusion, and codes can give rise to execution and information disclosure.
Researcher ‘Rotak’ of GMO Flat Security ‘Rotak’ discovered vulnerability at the Meta Bug Bunty Researcher Conference in May and stated that it affects all the games built on the engine versions starting from 2017.1.
“(Vulnerability) may allow access to confidential information on the final user equipment running local code execution and unity-made applications,” unity warns Security bulletin,
“Code execution will be limited to the privilege level of the weak application, and information disclosure will be limited to the information available for weak application.”
One in technical writingRyotak showed that the handling of the unity of Android Intents allows any malicious app to be installed on the same device that is as a weak game to load and execute an attacker-supplied native library.
This enables the attacker to achieve arbitrary code execution with the privileges of the target game.
https://www.youtube.com/watch?v=QEHQB4A_MWQ
While Ryotak discovered this issue on Android, the root cause – handling of unity -XRSDK-PRE-Init-Library Command line arguments without proper verification or hygiene are also present on Windows, MacoS and Linux operating platforms.
There are separate input paths on these systems that can feed incredible arguments on the targeted application or modify the library search path, so exploitation is possible when the conditions are met.
Ekta states that she has not seen any active exploitation as the publication of her bulletin on 2 October.
Fixes are available and the remade stages include “updating the unity editor into the latest version and then rebuilding and rebuilding the application” and replacing the Ekta RunTime binary with a patched version.
Unity has issued improvement in 2019.1 and later out-off -port versions starting. Older versions that are no longer supported will not get patch.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-managed base Breach is changing and attacking simulation.
Do not remember the event that will shape the future of your safety strategy
