Unity Technologies has released patches to address a high-severity vulnerability affecting games and applications built on its engine, primarily impacting Android-based mobile games. The vulnerability, identified as CVE-2025-59489 with a CVSS score of 8.4, could allow attackers to execute malicious code within the affected applications. The flaw was discovered by security researcher RyotaK from GMO Flatt Security Inc. during Meta's Bug Bounty Conference in May 2025. Unity disclosed the vulnerability on October 2, 2025, after implementing patches across affected versions.

The vulnerability resides in Unity's intent handling system on Android. Unity applications automatically accept command-line arguments through Android intents, which are used for inter-app communication. A malicious application could exploit this by injecting the "-xrsdk-pre-init-library" argument, forcing the vulnerable Unity app to load a attacker-controlled native library (.so files). Once loaded, this malicious code would run with the same privileges as the targeted game or application, potentially accessing sensitive data like camera permissions, location information, or even crypto wallets.

While the vulnerability affects Android, Windows, Linux, and macOS platforms to varying degrees, Android is the primary concern. Although Android's SELinux protections limit remote exploitation, local attacks remain viable, meaning any malicious app installed on the same device could exploit vulnerable Unity applications.

Unity has released patches for all versions from 2019.1 onward and has also introduced a Binary Patch tool for developers unable to rebuild applications. The company is urging developers to download the updated Unity Editor versions, recompile their projects, and republish them immediately. The binary patcher modifies the libunity.so file on Android to prevent exploitation. On Windows and macOS, the tool downloads a patched UnityPlayer.dll or UnityPlayer.dylib, respectively, replacing the original file. If an app uses tamper-proofing techniques, the patch won't work, and recompiling from the source is the only safe option.

Despite the severity of the vulnerability, Unity states that there is no evidence of any active exploitation or impact on users or customers. "There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers". Google has also stated that malicious apps exploiting this vulnerability have not been found on the Play Store. A Google spokesperson confirmed that they are aware of the vulnerability and that Google Play will support developers in releasing patched versions of their apps as quickly as possible.

Users are advised to update all Unity-based games and applications as patches become available. Experts also recommend avoiding sideloading apps from unofficial sources, as these may contain malicious modifications that exploit the vulnerability. Sideloaded apps also won't automatically receive security updates. It is also recommended to keep crypto credentials and apps separate from gaming devices or accounts and adjust device permissions to turn off unessential overlays or accessibility services.

Unity is one of the world's most popular game engines, powering over 70% of the top thousand mobile games. The company has been working closely with platform partners who have taken further steps to secure their platforms and protect end-users. Unity is also enhancing its Secure Software Development Lifecycle (SSDLC) program, tooling, and processes to prevent similar vulnerabilities in the future.