A high-severity vulnerability in Unity's runtime could allow attackers to execute malicious code in thousands of games and applications, affecting titles built with Unity versions dating back to 2017.
The flaw, tracked as CVE-2025-59489 with a CVSS score of 8.4, was discovered by security researcher RyotaK from GMO Flatt Security Inc. during Meta's Bug Bounty Conference in May 2025. Unity Technologies disclosed the vulnerability on October 2, 2025, after implementing patches across affected versions.
According to Unity, 70% of top mobile games run on their engine, including popular titles like Among Us and Pokémon GO. The vulnerability affects applications on Android, Windows, Linux, and macOS platforms.
How the Attack Works
The vulnerability exploits Unity's intent handling system on Android. Unity applications automatically accept command-line arguments through Android intents—a mechanism apps use to communicate with each other. Malicious apps can hijack this feature by injecting the -xrsdk-pre-init-library argument, forcing vulnerable Unity apps to load attacker-controlled native libraries (.so files).
"This behavior allows attackers to execute arbitrary code within the context of the Unity application, leveraging its permissions," RyotaK explained in his technical disclosure.
Once loaded, malicious code runs with the same privileges as the targeted game or app, potentially accessing sensitive data, camera permissions, location information, or other resources granted to the application.
While Android's SELinux protections limit remote exploitation scenarios, local attacks remain highly viable. Any malicious app installed on the same device can exploit vulnerable Unity applications.
Immediate Action Required
Unity has released patches for all versions from 2019.1 onward and introduced a Binary Patch tool for developers unable to rebuild applications. High-profile games including Cities Skylines 2 and Two Point Museum have already deployed security updates.
Developers must download updated Unity Editor versions, recompile their projects, and republish immediately. Players should update all Unity-based games and exercise caution with third-party mods until patches are verified.
Unity emphasized that no active exploitation has been detected, but urged the development community to act swiftly to protect end users.