06.10.2025
2 min
603
A critical vulnerability, CVE-2025-59489, has been discovered in the Unity Runtime engine, which allows attackers to execute arbitrary code via the argument injection mechanism. The problem affects Android, Windows, macOS, and Linux, as well as any applications compiled with vulnerable versions of the Unity Editor.
The essence of the vulnerability is that the Unity Runtime incorrectly handles command-line parameters. Because of this, an attacker can specify a malicious path to a library and force the application to load code from a dangerous source.
This flaw allows:
to execute arbitrary code on the user’s device;
to gain access to confidential files or credentials;
to install a backdoor into the system or change the behavior of the game or application.
Unity confirmed that updating the Unity Editor itself does not solve the problem, since the vulnerable code is already embedded in compiled applications. To completely eliminate the risk, it is necessary to rebuild and re-release all projects on the fixed version of the engine. The vulnerability was discovered by researcher RyotaK from GMO Flatt Security in June 2025. Following the publication of the Flatt Tech report, Unity quickly issued an official notice and security update (Unity Security Bulletin 2025-10-02).
On the Steam platform, developers have already received a warning from Valve urging them to immediately review their builds and disable dangerous launch arguments. Gamers in the community have noted Valve’s quick response, as such incidents could potentially affect even major releases.
The Unity incident shows how important it is for developers to not only update the engine, but also to control the process of building and redeploying projects. Users should download games only from official sources, and studios should conduct independent security audits.
This story is another reminder that even the most popular tools can contain dangerous holes that attackers can use to carry out large-scale attacks.
