Untrusted Search Path Vulnerability in Unity Editor Affects Multiple Platforms
CVE-2025-59489
Key Information:
- Vendor
Unity3d
- Status
- Vendor
- CVE Published:
- 3 October 2025
Badges
What is CVE-2025-59489?
CVE-2025-59489 identifies an untrusted search path vulnerability in the Unity Editor, affecting versions from 2019.1 through 6000.3. Unity Editor, developed by Unity Technologies, is a widely-used platform for creating and deploying interactive 2D and 3D applications across various environments, including games and simulations. This vulnerability arises due to improper handling of file loading and local file inclusion (LFI) mechanisms, which could allow remote attackers to manipulate runtime resources and integrate unauthorized third-party components. Such untrusted paths pose significant risks as they facilitate the execution of arbitrary code within applications built using Unity, impacting not only the software itself but also any integrated systems and data.
Potential Impact of CVE-2025-59489
-
Unauthorized Access and Manipulation: Exploitation of this vulnerability can lead to unauthorized access, enabling attackers to manipulate the application’s resources. This includes potential alterations to the software’s functionality and access to sensitive data managed by the application.
-
Local File Inclusion Attacks: By leveraging the local file inclusion mechanisms, attackers may execute malicious scripts or obtain sensitive files from the system where the Unity application is running. This can lead to further exploitation of the environment, potentially allowing for broader network compromise.
-
Impact Across Multiple Platforms: The vulnerability’s reach extends across various operating systems, including Android, Windows, macOS, and Linux. This cross-platform nature means that a wide array of applications developed with Unity are at risk, heightening the urgency for organizations to address the vulnerability to safeguard their applications and associated data integrity.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Unity Editor 6000.3 < 6000.3.0b4
Unity Editor 6000.2 < 6000.2.6f2
Unity Editor 6000.0 LTS < 6000.0.58f2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
KasperskyCVE-2025-59489The CVE-2025-59489 vulnerability in Unity, and how to fix it in games
Exploring a dangerous vulnerability in the Unity game engine, and how to protect your devices
Risky Business NewslettersCVE-2025-59489Microsoft tells users to uninstall games affected by major Unity bug
In other news: Discord discloses data breach; Gmail rolls out E2EE; Apple and Google block ICE tracking app.
Steam and Microsoft warn of Unity flaw exposing gamers to attacks
A code execution vulnerability in the Unity game engine could be exploited to achieve code execution on Android and privilege escalation on Windows.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved