Code execution vulnerability in Unity runtime - and why your car manufacturer should care. ππΉοΈππ£π¨
A security engineer from Japan, known by the nickname RyotaK, published a vulnerability in Unity yesterday - the real-time engine for interactive 3D experiences. If you open your favorite cybersecurity news aggregator, youβll find headlines about it. But Unity is used not only on mobile phones and PCs for gaming.
In the automotive industry, Unity has been used for several years for vehicle design, personnel training, and all kinds of simulations. Itβs also used for in-car HMIs (Human-Machine Interfaces) - the graphics on the screens you see in a car.
All versions of Unity are affected - both supported and no longer supported ones. The only way to fix the vulnerability is to apply the patch.
The fact that this code is present in a car doesnβt mean a specific vendor is affected or that the bug is exploitable. What we know for sure is that:
1οΈβ£ Unity Runtime can be found in cars.
1οΈβ£ Under certain conditions, Unity Runtime can lead to Remote Code Execution (RCE) triggered via a browser.
Enjoy the research below - itβs very interesting. Please share it.
Thanks!
More details:
CVE-2025-59489: Arbitrary Code Execution in Unity Runtime [Blog]: https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/
Unity Security Update Advisory: https://unity.com/security/sept-2025-01
