Unity Technologies has issued a critical security advisory warning developers about a high-severity vulnerability affecting its widely used game development platform.
The flaw, designated CVE-2025-59489, exposes applications built with vulnerable Unity Editor versions to unsafe file loading attacks that could enable local code execution and privilege escalation across multiple operating systems.
The vulnerability stems from an untrusted search path weakness (CWE-426) that allows attackers to exploit unsafe file loading mechanisms within Unity-built applications.
With a CVSS score of 8.4, this security issue affects virtually all Unity Editor versions from 2017.1 through current releases, potentially impacting millions of deployed games and applications worldwide.
Local File Inclusion Vulnerability
The vulnerability manifests differently across operating systems, with Android applications facing the highest risk as they are susceptible to both code execution and elevation of privilege attacks.
Windows, Linux Desktop, Linux Embedded, and macOS platforms experience elevation of privilege risks, allowing attackers to gain unauthorized access at the application’s privilege level.
Security researchers at GMO Flatt Security Inc. discovered the flaw on June 4, 2025, through responsible disclosure practices.
The vulnerability exploits local file inclusion mechanisms, enabling attackers to execute arbitrary code confined to the vulnerable application’s privilege level while potentially accessing confidential information available to that process.
On Windows systems, the threat landscape becomes more complex when custom URI handlers are registered for Unity applications.
Attackers who can trigger these URI schemes may exploit the vulnerable library-loading behavior without requiring direct command-line access, significantly expanding the attack surface.
| Risk Factors | Details |
| Affected Products | Unity Editor versions 2017.1+ and applications built with these versions across Android, Windows, Linux, and macOS |
| Impact | Local code execution, privilege escalation, information disclosure |
| Exploit Prerequisites | Local system access, vulnerable Unity-built application present on target system |
| CVSS 3.1 Score | 8.4 (High) |
Mitigations
Unity has released patches for all supported versions and extended fixes to legacy versions dating back to Unity 2019.1.
The company provides two primary remediation approaches: rebuilding applications with updated Unity Editor versions or applying binary patches using Unity’s specialized patch tool for deployed applications.
Current supported versions, including 6000.3, 6000.2, 6000.0 LTS, 2022.3 xLTS, and 2021.3 xLTS, have received immediate patches.
Legacy versions spanning from 2019.1 through 2023.2 also received security updates, though versions 2017.1 through 2018.4 remain unpatched and should be upgraded immediately.
The vulnerability vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates local attack vectors with low complexity requirements and no user interaction needed, making exploitation relatively straightforward for attackers with local system access.
Unity emphasizes that no evidence of active exploitation has been detected, and no customer impact has been reported to date.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
