Back to KEVs

CVE-2025-59489

Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an...

Basic Information

CVE State
PUBLISHED
Reserved Date
September 16, 2025
Published Date
October 03, 2025
Last Updated
October 03, 2025
Vendor
Unity3D
Product
Unity Editor
Description
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.

CVSS Scores

CVSS v3.1

7.4 - HIGH

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
poc
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-10-03 20:58:38 UTC) Source

References

https://unity.com/security#security-updates-and-patches https://unity.com/security/sept-2025-01 https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-10-03 20:58:38 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel