Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

Argument injection and arbitrary library loading in Unity Runtime

IdentifiersCVE-2025-59489CWE-426· Untrusted Search Path

CVE-2025-59489 is a high-severity vulnerability in Unity Runtime affecting applications built with vulnerable Unity Editor versions, reported across Android, Windows, macOS, and Linux. The flaw is caused by improper handling of command-line arguments, specifically the "-xrsdk-pre-init-library" parameter, which can be influenced by an attacker and used to force the runtime to load a native library from an unintended location. The issue is described as an argument injection condition that creates an untrusted search path / unintended library load scenario. On Android, reporting indicates the issue is tied to Unity debugging support, where an exported UnityPlayerActivity can accept attacker-controlled intent extras that are passed as command-line arguments. On Windows, exploitation risk increases where a vulnerable Unity application exposes a custom URI handler that can be abused to pass crafted arguments. Successful exploitation results in loading attacker-controlled native code into the target Unity application process.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to arbitrary code execution within the context of the vulnerable Unity application. An attacker may execute malicious native code, access or exfiltrate confidential information available to the application, and potentially achieve privilege escalation where the application has elevated or sensitive permissions. Impact is bounded by the privileges and data access of the targeted Unity application, but this can still be significant on end-user systems and mobile devices.

Mitigation

If you can’t patch tonight, do this now.

Until rebuilt applications are deployed, reduce exploitability by blocking or filtering dangerous Unity launch parameters, especially those associated with library pre-initialization. On Windows, restrict or remove unnecessary custom URI handlers for vulnerable Unity applications. On Android and other local-app threat models, prevent untrusted co-resident applications from invoking vulnerable Unity apps where possible. Defensive monitoring should include detection of unexpected DLL/shared-library loads, anomalous child process or runtime behavior, unauthorized memory access/code injection attempts, unusual crashes, and unexpected outbound network activity. File integrity monitoring and cryptographic integrity verification of application files and loaded libraries can help detect tampering. Platform mitigations noted in the content include Microsoft Defender detections and Steam blocking launches containing known malicious parameters.

Remediation

Patch, then assume compromise.

Update to a Unity Editor version containing the fix, then rebuild and redeploy all affected applications. The content indicates that simply updating Unity Editor is typically insufficient for already-shipped software; affected Unity-based applications must be recompiled with the patched runtime and redistributed to users. Reported fixed versions include Unity Editor 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2, with fixes also pushed to discontinued branches down to 2019.1. Some guidance also references replacing UnityPlayer.dll with a patched runtime file for certain existing deployments where supported.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
CVE-2025-59489-POCMaturityPoCVerified exploit

This repository is a Proof-of-Concept (PoC) exploit for CVE-2025-59489, targeting Unity-based games on Android. The structure is that of a standard Android Studio project, with the main exploit logic in 'MainActivity.java' and a native payload in 'libpreinitv2/preinit.c'. The exploit works by allowing the user to specify the package name of a Unity app installed on the device. It then attempts to launch the Unity app with a special intent that causes the app to load the attacker's native library (libpreinit.so). When loaded, this library executes code (via its constructor) that sends a broadcast intent back to the PoC app, confirming successful code execution. The exploit is designed to test for arbitrary code execution vulnerabilities in Unity's Android runtime, specifically the ability to load attacker-controlled native libraries into another app's process. The repository includes build scripts, Android resources, and test files, but the core exploit logic is in the Java and C files. No network endpoints are involved; the attack vector is local, requiring the attacker to have the ability to install and run apps on the target device.

GithubKillsMyOpsecDisclosed Oct 6, 2025javaclocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Unity TechnologiesEditorapplication
Unity3dUnity Editorapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

139 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

139 SOURCESView more in app
the hacker newsNews
Nov 18, 2025
Meta Expands WhatsApp Security Research with New Proxy Tool and $4M in Bounties This Year

A Meta Quest device vulnerability allowing a malicious installed application to manipulate Unity applications to achieve arbitrary code execution.

Read more
the hacker newsNews
Oct 13, 2025
⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

A vulnerability in Unity for Android and Windows, listed as a trending CVE for the week. No further details provided.

Read more
lawfareNews
Oct 10, 2025
Clop is a Big Fish, But Not Worth Hunting

A vulnerability in the Unity game engine (CVE-2025-59489) allows malicious apps on the same device to inject command-line arguments into Unity-based games, potentially loading malicious code. It primarily affects Android but may also impact other platforms and, in rare cases, can be exploited remotely.

Read more
risky biz rssNews
Oct 9, 2025
Clop is a Big Fish, But Not Worth Hunting

A vulnerability in the Unity game engine that allows malicious apps to inject command-line arguments into Unity-based games, potentially loading malicious code. Impacts Android and possibly other platforms, with some remote exploitation scenarios possible.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity130

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-59489
NVD
nvd.nist.gov/vuln/detail/CVE-2025-59489
MITRE CWE · CWE-426
Untrusted Search Path
Vendor Advisory
unity.com/security/sept-2025-01
Third Party Advisory
flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime
Product
unity.com/security