"To support debugging Unity applications on Android devices, Unity automatically adds a handler for the intent containing the unity extra to the UnityPlayerActivity. This activity serves as the default entry point for applications and is exported to other applications,"
"Code execution would be confined to the privilege level of the vulnerable application, and infor"
A high-severity vulnerability in Unity (CVE-2025-59489, CVSS 8.4) enables attackers to control command-line arguments passed to Unity applications. The vulnerability stems from UnityPlayerActivity handling an exported intent extra used for debugging on Android, allowing any app to supply that extra. An attacker can create a malicious app that extracts a native library and launches a Unity application with an argument that points to the malicious library, yielding code execution at the vulnerable app's privilege level. Remote exploitation may be possible if a website can force a browser to download and load a crafted library. Unity issued fixes across multiple Editor versions, including recent and discontinued releases.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]