The CVE-2025-59489 vulnerability in Unity, and how to fix it in games | Kaspersky official blog

The CVE-2025-59489 vulnerability in Unity, and how to fix it in games | Kaspersky official blog

/in

In early October, Unity announced that game developers have a lot of work to do. The popular game engine, used for PC, console and mobile games, has a software vulnerability in it that requires all published games to be updated. The vulnerability was added eight years ago, in engine version 2017.01, so it affects all modern Unity games and applications on Android, Linux, MacOS, and Windows platforms.

It wasn’t only developers who reacted to the announcement. Valve announced that it would block Steam from launching games with unsafe settings, and Microsoft went further and recommended temporarily uninstalling vulnerable games until they can be patched.

So what is the threat from this vulnerability, and how to fix it without uninstalling games?

How the Unity vulnerability works

Exploitation of the CVE-2025-59489 vulnerability can cause a game to run malicious code, or give an attacker access to information on the given device. An attacker can pass startup parameters to the game, and vulnerable versions of Unity Runtime will process several commands intended for debugging: -xrsdk-pre-init-library, – dataFolder , overrideMonoSearchPath, and -monoProfiler, among others. With these commands, the Unity engine loads any libraries specified in the startup parameters – including malicious ones. It can load .dll files on Windows, .so libraries on Android and Linux, and .dylib libraries on macOS.

This way, a malicious application with low privileges can launch a game with modified startup parameters, and make it download and run the malicious library. Thus it will have the same privileges and access as the game itself.

Another type of attack that can exploit this vulnerability can be carried out remotely. If a game can be launched by clicking on certain hyperlinks in the browser (the game must be registered as a URI schema handler), the malicious site can first convince the user to download the malicious library file, and then launch the vulnerable game along with this library.

The danger of exploitation of this vulnerability depends largely on the game’s settings, version and OS settings, but Unity, Valve and Microsoft unanimously recommend updating all games on the system.

What’s the danger of a vulnerability in a game?

Exploitation of this vulnerability serves to escalate privileges and bypass defenses. An unknown application in modern operating systems is usually isolated from others and deprived of access to sensitive information. But it can still launch already installed applications. So when the game is launched with parameters crafted by an attacker, it loads a malicious library, and this library is considered by the system and its defense mechanisms to be part of the game. It has the same rights and access as the game itself, and can also slip under the radar of some antiviruses. Games sometimes require relatively high privileges in the system, so this is a way for an attacker to become, if not the administrator of the device, at least a “respected user”.

Is this vulnerability being exploited in real-world attacks?

Unity emphasizes that the flaw was discovered by ethical hackers and there is no evidence to date that the vulnerability is being used in real attacks. But given the widespread publicity of the issue and the ease of exploitation, any willing attacker could arm themselves with CVE-2025-59489 in just a couple of days. So taking precautionary measures won’t be unreasonable.

How to fix the vulnerability

The main work should be done by game developers. Having updated Unity Editor, they should recompile the game with the patched version of Unity Runtime, and publish it on the website or in app stores. Users need to keep track of updates to their Unity-based games, and update them promptly.

Valve has updated the Steam client and fixed this issue for those games that run via the client. Now it blocks the launch of games with the aforementioned dangerous parameters.

Microsoft has confirmed that the vulnerability doesn’t affect Xbox versions of games, but provides an extensive list of vulnerable games available in its app stores for other platforms. Until the vulnerabilities in the specified games are fixed, Microsoft recommends uninstalling them.

In addition to updating your games, be sure your computers and smartphones are protected by a comprehensive cyberthreat prevention system such as Kaspersky Premium. It not only prevents many vulnerabilities from being exploited, but also prevents first-stage malware from running.

How to fix a vulnerability if the game is no longer updated

For developers who don’t have access to the Unity editor or don’t support the game anymore, Unity offers the Unity Application Patcher app. It detects which version of Unity the game is using, and downloads an updated library (libunity.so for Android, UnityPlayer.dll for Windows, UnityPlayer.dylib for macOS), fixing the flaw. The patched game still needs to be republished on the website or app stores.

For gamers, only the Windows version of the patcher will be useful, since it’s very problematic to change the game component for MacOS or Android while keeping the game functional.

Kaspersky official blog – ​Read More