What is CVE-2025-59489?

CVE-2025-59489 has a CVSS score of 8.4 and is caused by Unity's intent handler mechanism on Android and similar functionality on other platforms. Unity automatically adds a handler for intents containing the unity extra to the UnityPlayerActivity. This feature was designed to support debugging Unity applications, but inadvertently created a security vulnerability because any application on the same device can send these intents, allowing attackers to control command-line arguments passed to Unity applications.

Which platforms are affected by CVE-2025-59489?

Affected platforms include Android (Code Execution and Elevation of Privilege - High Severity), Windows (Elevation of Privilege - High Severity), Linux Desktop (Elevation of Privilege - High Severity), Linux Embedded (Elevation of Privilege - High Severity), and macOS (Elevation of Privilege - High Severity).

Which popular games are affected by CVE-2025-59489?

Popular games requiring immediate patching include Genshin Impact, Pokémon GO, Cities: Skylines 2, Rust, Among Us, Subnautica, Vampire Survivors, Dave the Diver, Ori and the Will of the Wisps, Cuphead, Cult of the Lamb, Valheim, The Forest, Silksong, and Dredge. The vulnerability affects virtually every game and application built with Unity 2017.1 or later that has not been updated.

Has CVE-2025-59489 been exploited in the wild?

Unity claims that there is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers to date. However, since the exploit details are now publicly available following the disclosure, attacks are expected to start very quickly.

How can developers fix the Unity vulnerability?

Unity Technologies has provided several remediation options. Developers can update the Unity Editor to the newest patched version and then rebuild and redeploy their applications. Unity has released patches for all currently supported versions and has extended fixes to out-of-support versions dating back to Unity 2019.1. For developers who prefer not to rebuild their projects, Unity has published a Binary Patch tool that can replace the Unity runtime library with a patched version for Android, Windows, and macOS platforms.

What is the Unity Binary Patch tool?

The Binary Patch tool is a utility published by Unity that can replace the Unity runtime library with a patched version for Android, Windows, and macOS platforms without requiring developers to rebuild their projects. However, this tool does not work on builds with tamper-proofing or anti-cheat measures and is not available for Linux.

Which Unity versions are affected by CVE-2025-59489?

The vulnerability affects Unity versions 2017.1 and later. Unity has released patches for all currently supported versions and has extended fixes to out-of-support versions dating back to Unity 2019.1. However, older versions from Unity 2017.1 through Unity 2018.4 have not received patches and remain vulnerable.

What is Unity doing to address CVE-2025-59489?

Unity Technologies has been working with Microsoft to update Microsoft Defender to detect and block exploitation attempts, partnering with Valve to add protections to the Steam platform, coordinating with Google to expedite the approval process for patched applications on the Play Store, and synchronizing with endpoint detection and response vendors like CrowdStrike and Bitdefender to identify and block potential exploits. Google's Play Store built-in malware scanning and security features will also automatically identify affected applications.

Why is there no Linux Binary Patch tool for the Unity vulnerability?

Due to the lower risk profile in Linux environments with strict access control policies, Unity has not released a Linux version of the Unity Application Patcher. The Binary Patch tool is only available for Android, Windows, and macOS platforms.

Will patching the Unity vulnerability break games?

Unity has stated that the fix is unlikely to break most games, though developers should thoroughly test their applications after applying patches to ensure compatibility.

Advisory

Eight-Year-Old critical security flaw discovered in Unity Engine, requires urgent patching for thousands of games

Q: How long has the Unity vulnerability existed?

The security vulnerability has existed undetected in the Unity Engine for eight years, affecting Unity versions 2017.1 and later.

published: Oct. 3, 2025

Take action: If possible, make sure to keep your games updated - especially on Android. Don't install random apps from sketchy sources, since a malicious app could potentially exploit Unity games on the your device. Stick to the official Play Store, and even then be restrictive in installs. The biggest risk is ignoring updates and continuing to play old versions of games while also installing random software. Just don't do that. Ideally, uninstall the vulnerable games until they are patched.

Learn More

Unity Technologies has patched a security vulnerability that has existed undetected in the Unity Engine for eight years, affecting thousands of games and applications built with Unity versions 2017.1 and later across multiple platforms.

The flaw is tracked as CVE-2025-59489 (CVSS score 8.4), and is caused by the Unity's intent handler mechanism on Android and similar functionality on other platforms. Unity automatically adds a handler for intents containing the "unity" extra to the UnityPlayerActivity, which serves as the default entry point for applications. This feature was designed to support debugging Unity applications, it inadvertently created a security vulnerability because any application on the same device can send these intents, allowing attackers to control command-line arguments passed to Unity applications.

In its default configuration, the vulnerability allows malicious applications installed on the same device to hijack permissions granted to Unity applications. The Unity application would load and execute the malicious code with its own permissions, effectively granting the attacker access to all data and capabilities available to the vulnerable application.

The security flaw was discovered by RyotaK, a security engineer at GMO Flatt Security Inc., during his participation in the Meta Bug Bounty Researcher Conference 2025.

Affected platforms include:

Android - Code Execution / Elevation of Privilege (High Severity)
Windows - Elevation of Privilege (High Severity)
Linux Desktop - Elevation of Privilege (High Severity)
Linux Embedded - Elevation of Privilege (High Severity)
macOS - Elevation of Privilege (High Severity)

Platforms not affected by the vulnerability include iOS, console platforms such as PlayStation, Xbox, and Nintendo Switch, and Meta Horizon OS. These platforms are protected by their respective platform-level security measures that prevent this type of exploitation.

The vulnerability is affecting virtually every game and application built with Unity 2017.1 or later that has not been updated. Popular games requiring immediate patching include:

Genshin Impact
Pokémon GO
Cities: Skylines 2
Rust
Among Us
Subnautica
Vampire Survivors
Dave the Diver
Ori and the Will of the Wisps
Cuphead
Cult of the Lamb
Valheim
The Forest
Silksong
Dredge

Unity claims that there is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers to date. Since the exploit details are now publicly available following the disclosure, attacks are expected to start very quickly.

Unity Technologies has provided several remediation options:

Update the Unity Editor to the newest patched version and then rebuild and redeploy their applications. Unity has released patches for all currently supported versions and has extended fixes to out-of-support versions dating back to Unity 2019.1, but older versions from Unity 2017.1 through Unity 2018.4 have not received patches and remain vulnerable.
For developers who prefer not to rebuild their projects, Unity has published a Binary Patch tool that can replace the Unity runtime library with a patched version for Android, Windows, and macOS platforms. This tool does not work on builds with tamper-proofing or anti-cheat measures and is not available for Linux. Due to the lower risk profile in Linux environments with strict access control policies, Unity has not released a Linux version of the Unity Application Patcher. Unity has stated that the fix is unlikely to break most games, though developers should thoroughly test their applications after applying patches.

Unity Technologies has been working with Microsoft to update Microsoft Defender to detect and block exploitation attempts, partnering with Valve to add protections to the Steam platform, coordinating with Google to expedite the approval process for patched applications on the Play Store to allow developers to ship patches faster, and synchronizing with endpoint detection and response vendors like CrowdStrike and Bitdefender to identify and block potential exploits. Google's Play Store built-in malware scanning and security features will also automatically identify affected applications.

Several high-profile games have already received security updates in response to the disclosure. Cities: Skylines 2 and Two Point Museum were among the first games to be patched. The developer of Tainted Grail: The Fall of Avalon notified players via the game's Discord channel about the Unity vulnerability and released a patch several days prior to the public disclosure. The developer specifically warned users to only use the latest update and to refrain from using older game versions as the exploit is now public and could start being exploited, recommending caution for all Unity games until patches are released.

Update - As of 5th of October 2025, Microsoft has urged users to uninstall Unity games until they receive security patches that fix CVE-2025-59489. The Steam platform now blocks all Unity-based games if they are launched with one of four command-line parameters shared by Unity and used to exploit the bug.

Eight-Year-Old critical security flaw discovered in Unity Engine, requires urgent patching for thousands of games