GMO Flatt Security Research - flatt.tech
Posted on October 3, 2025
Introduction
Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc.
In May 2025, I participated in the Meta Bug Bounty Researcher Conference 2025. During this event, I discovered a vulnerability (CVE-2025-59489) in the Unity Runtime that affects games and applications built on Unity 2017.1 and later.
In this article, I will explain the technical aspects of this vulnerability and its impact.
This vulnerability was disclosed to Unity following responsible disclosure practices.
Unity has since released patches for Unity 2019.1 and later, as well as a Unity Binary Patch tool to address the issue, and I strongly encourage developers to download the updated versions of Unity, recompile affected games or applications, and republish as soon as possible.
For the official security advisory, please refer to Unity’s advisory here: https://unity.com/security/sept-2025-01
We appreciate Unity’s commitment to addressing this issue promptly and their ongoing efforts to enhance the security of their platform.
Security vulnerabilities are an inherent challenge in software development, and by working together as a community, we can continue to make software systems safer for everyone.
TL;DR
A vulnerability was identified in the Unity Runtime’s intent handling process for Unity games and applications.
This vulnerability allows malicious intents to control command line arguments passed to Unity applications, enabling attackers to load arbitrary shared libraries (.so files) and execute malicious code, depending on the platform.
In its default configuration, this vulnerability allowed malicious applications installed on the same device to hijack permissions granted to Unity applications.
In specific cases, the vulnerability could be exploited remotely to execute arbitrary code, although I didn’t investigate third-party Unity applications to find an app with the functionality required to enable this exploit.
Unity has addressed this issue and has updated all affected Unity versions starting with 2019.1. Developers are strongly encouraged to download them, recompile their games and applications, and republish to ensure their projects remain secure.
About Unity
Unity is a popular game engine used to develop games and applications for various platforms, including Android.
According to Unity’s website, 70% of top mobile games are built with Unity. This includes popular games like Among Us and Pokémon GO, along with many other applications that use Unity for development.
Technical Details
Note: During the analysis, I used Android 16.0 on the Android Emulator of Android Studio. The behavior and impact of this vulnerability may differ on older Android versions.
Unity’s Intent Handler
To support debugging Unity applications on Android devices, Unity automatically adds a handler for the intent containing the unity extra to the UnityPlayerActivity. This activity serves as the default entry point for applications and is exported to other applications.
https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html
adb shell am start -n "com.Company.MyGame/com.unity3d.player.UnityPlayerActivity" -e unity "-systemallocator"
As documented above, the unity extra is parsed as command line arguments for Unity.
While Android’s permission model manages feature access by granting permissions to applications, it does not restrict which intents can be sent to an application.
This means any application can send the unity extra to a Unity application, allowing attackers to control the command line arguments passed to that application.
xrsdk-pre-init-library Command Line Argument
After loading the Unity Runtime binary into Ghidra, I discovered the following command line argument:
initLibPath = FUN_00272540(uVar5, "xrsdk-pre-init-library");
The value of this command line argument is later passed to dlopen, causing the path specified in xrsdk-pre-init-library to be loaded as a native library.
lVar2 = dlopen(initLibPath, 2);
This behavior allows attackers to execute arbitrary code within the context of the Unity application, leveraging its permissions by launching them with the -xrsdk-pre-init-library argument.
Attack Scenarios
Local Attack
Any malicious application installed on the same device can exploit this vulnerability by:
Extracting the native library with the android:extractNativeLibs attribute set to true in the AndroidManifest.xml
Launching the Unity application with the -xrsdk-pre-init-library argument pointing to the malicious library
The Unity application would then load and execute the malicious code with its own permissions
Remote Exploitation via Browser
In specific cases, this vulnerability could potentially be exploited remotely although the condition .
For example, if an application exports UnityPlayerActivity or UnityPlayerGameActivity with the android.intent.category.BROWSABLE category (allowing browser launches), websites can specify extras passed to the activity using intent URLs:
intent:#Intent;package=com.example.unitygame;scheme=custom-scheme;S.unity=-xrsdk-pre-init-library%20/data/local/tmp/malicious.so;end;
At first glance, it might appear that malicious websites could exploit this vulnerability by forcing browsers to download .so files and load them via the xrsdk-pre-init-library argument.
SELinux Restrictions
However, Android’s strict SELinux policy prevents dlopen from opening files in the downloads directory, which mitigates almost all remote exploitation scenarios.
library "/sdcard/Download/libtest.so" ("/storage/emulated/0/Download/libtest.so") needed
or dlopened by "/data/app/~~24UwD8jnw7asNjRwx1MOBg==/com.DefaultCompany.com.unity.template.
mobile2D-E043IptGJDwcTqq56BocIA==/lib/arm64/libunity.so" is not accessible for the
namespace: [name="clns-9", ld_library_paths="",default_library_paths="/data/app/~~24UwD8jnw7asNjRwx1MOBg==/com.DefaultCompany.com.unity.template.
mobile2D-E043IptGJDwcTqq56BocIA==/lib/arm64:/data/app/~~24UwD8jnw7asNjRwx1MOBg==/com.DefaultCompany.com.unity.template.mobile2D-E043IptGJDwcTqq56BocIA==/base.apk!/lib/arm64-v8a", permitted_paths="/data:/mnt/expand:/data/data/com.DefaultCompany.com.unity.template.mobile2D"]
That being said, since the /data/ directory is included in permitted_paths, if the target application writes files to its private storage, it can be used to bypass this restriction.
Furthermore, dlopen doesn’t require the .so file extension. If attackers can control the content of a file in an application’s private storage, they can exploit this vulnerability by creating a file containing malicious native library binary. This is actually a common pattern when applications cache data.
For example, another vulnerability in Messenger was exploited using the application’s cache: https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf
Requirements for Remote Exploitation
To exploit this vulnerability remotely, the following conditions must be met:
The application exports UnityPlayerActivity or UnityPlayerGameActivity with the android.intent.category.BROWSABLE category
The application writes files with attacker-controlled content to its private storage (e.g., through caching)
Even without these conditions, local exploitation remains possible for any Unity application.
Demonstration
Conclusion
In this article, I explained a vulnerability in Unity Runtime that allows arbitrary code execution in almost all Unity applications on Android.
I hope this article helps you understand that vulnerabilities can exist in the frameworks and libraries you depend on, and you should always be mindful of the security implications of the features you use.
Mitel phone firmware analysis lead to the discovery of two vulnerabilities (CVE-2025-47187 & CVE-2025-47188). Exploiting them leads to unauthenticated code execution on the phone itself.
While on an internal attack simulation engagement, a customer asked us: “Is an attacker able to listen in on our meeting room conversations?”. Motivated by this question, we scanned their internal network and discovered Mitel VoIP phone web management interfaces.
While playing around with the login functionality of the management interface, we accidentally rediscovered CVE-2020-13617 on our own - and since the phone firmware was old enough, it allowed us to leak memory in the failed login response. While we didn’t have enough time to analyze the phone during this engagement, my interest in the phone and its firmware did not vanish.
As part of the R&D team at InfoGuard Labs, I decided to take a closer look at the phone as a research project. This lead to the discovery of two new vulnerabilities:
CVE-2025-47188: Unauthenticated command injection vulnerability
CVE-2025-47187: Unauthenticated .wav file upload vulnerability
These vulnerabilities are present in Mitel 6800 Series, 6900 Series and 6900w Series SIP Phones, including the 6970 Conference Unit with firmware version R6.4.0.SP4 and earlier. Mitel has published the MISA-2025-0004 security advisory informing about these vulnerabilities, the affected devices as well as remediation measures.
forbes.com - Microsoft has confirmed that SharePoint Server is under mass attack and no patch is yet available — here’s what you need to know and how to mitigate the threat.
Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks
It’s been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Research experts who discovered it. Microsoft, meanwhile, has admitted that not only is it “aware of active attacks” but, worryingly, “a patch is currently not available for this vulnerability.”
CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it’s because it is. Very bad indeed.
“The risk is not theoretical,” the researchers warned, “attackers can execute code remotely, bypassing identity protections such as MFA or SSO.” Once they have, they can then “access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.”
And then there’s the theft of cryptographic keys. That can enable an attacker to “impersonate users or services,” according to the report, “even after the server is patched.” So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn’t solved. You will, it was explained, “need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.”
And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to “data theft, password harvesting, and lateral movement across the network,” the researchers warned.
msrc.microsoft.com - Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.
SharePoint Online in Microsoft 365 is not impacted.
A patch is currently not available for this vulnerability. Mitigations and detections are provided below.
Our team is actively working to release a security update and will provide additional details as they are available.
How to protect your environment
To protect your on-premises SharePoint Server environment, we recommend customers configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability.
AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For more details on how to enable AMSI integration, see here.
If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available.
We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity.
We will continue to provide updates and additional guidance for our customers as they become available.
Microsoft Defender Detections and Protections
Microsoft Defender Antivirus
Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detection name:
Exploit:Script/SuspSignoutReq.A
Trojan:Win32/HijackSharePointServer.A
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:
Possible web shell installation
Possible exploitation of SharePoint server vulnerabilities
Suspicious IIS worker process behavior
‘SuspSignoutReq’ malware was blocked on a SharePoint server
HijackSharePointServer’ malware was blocked on a SharePoint server
Advanced hunting
NOTE: The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.
To locate possible exploitation activity, run the following queries in Microsoft 365 security center.
Successful exploitation via file creation (requires Microsoft 365 Defender)
Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Run query in the Microsoft 365 Defender
DeviceFileEvents
| where FolderPath has "MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
June 26, 2025 by Anil Shetty netscaler.com
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related.
The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but they subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025.
Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details.
Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response.
Additionally, there’s an issue related to authentication that you may observe after upgrading NetScaler to build 14.1 47.46 or 13.1 59.19. This can manifest as a “broken” login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts. This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade. For more information on this issue please refer to the KB article.
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort. Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems, successfully targeting the libblockdev/udisks flaw on Ubuntu, Debian, Fedora, and openSUSE Leap 15.
A new attack technique named Policy Puppetry can break the protections of major gen-AI models to produce harmful outputs.
The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version.
The CVE has been assigned a CVSS v3.1 base score of 6.0.
Next.js is an open-source web framework built by Vercel that powers React-based apps with features like server-side and static rendering. Recently, a critical vulnerability (CVE) was disclosed that lets attackers bypass middleware-based authorization checks. The issue was originally discovered and analyzed by Rachid Allam (zhero). In this blog, we’ll break down the vulnerability and walk through their research and will create a Nuclei template to help you detect it across your assets.
Cisco recently released an advisory for CVE-2024-20439 here. (nvd) Please note I did not discover this vulnerability, I just reverse engineered the vulnerability from the advisory
On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration
It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild.
This must be the first time real-world attackers have reversed a patch, and reproduced a vulnerability, before some dastardly researchers released a detection artefact generator tool of their own. /s
At watchTowr's core, we're all about identifying and validating ways into organisations - sometimes through vulnerabilities in network border appliances - without requiring such luxuries as credentials or asset lists.
