Full Report
Apple is urging users who are still running an outdated version of iOS to update their iPhones to secure against web-based attacks carried out via powerful exploit kits like Coruna and DarkSword. These attacks employ malicious web content to target out-of-date versions of iOS, triggering an infection chain that leads to the theft of sensitive data. "For example, if you're using an older
Analysis Summary
# Vulnerability: Large-Scale Exploitation of Legacy iOS via Coruna and DarkSword Exploit Kits
## CVE Details
*Note: The specific underlying CVE IDs for the 23 exploits used by Coruna and 6 flaws used by DarkSword are not explicitly listed in the provided text, but they refer to vulnerabilities patched in current releases.*
- **CVE ID:** Multiple (referencing legacy vulnerabilities weaponized in exploit kits)
- **CVSS Score:** N/A (Individual exploits range from High to Critical)
- **CWE:** CWE-20 (Improper Input Validation), CWE-119 (Memory Corruption) - Typical of web-based RCE and Sandbox Escapes used in these kits.
## Affected Systems
- **Products:** iPhone, iPad
- **Versions:**
- iOS 14 and earlier
- iOS 13 and earlier
- Any version prior to iOS 15.8.7 or iOS 16.7.15 (for older hardware)
- **Configurations:** Devices visiting compromised websites or clicking malicious links (Watering Hole attacks).
## Vulnerability Description
The threat involves the weaponization of known security flaws through sophisticated exploit kits named **Coruna** (utilizing 23 exploits) and **DarkSword** (utilizing 6 exploits). These kits leverage malicious web content to compromise the mobile browser. Once a user visits a malicious or compromised site, an infection chain is triggered that performs a sandbox escape and kernel exploitation, ultimately leading to unauthorized access to the device's file system and sensitive data.
## Exploitation
- **Status:** **Exploited in the wild** (Mass-scale exploitation reported)
- **Complexity:** Low (for the attacker to deploy via kits; kits are highly automated)
- **Attack Vector:** Network (Web-based/Remote)
## Impact
- **Confidentiality:** High (Theft of sensitive user data, messages, and files)
- **Integrity:** High (Potential for persistent malware installation)
- **Availability:** Medium (Exploitation may cause device instability or crashes)
## Remediation
### Patches
Apple recommends updating to the latest possible version supported by the hardware:
- **For older hardware:** Update to **iOS 15.8.7 / iPadOS 15.8.7** or **iOS 16.7.15 / iPadOS 16.7.15**.
- **For newer hardware:** Ensure the device is running **iOS 17 through iOS 26** (per article timeframe).
- **For iOS 13/14 users:** Update immediately to iOS 15; a specific "Critical Security Update" is expected shortly for these branches.
### Workarounds
- **Lockdown Mode:** Enable Lockdown Mode if updating is not immediately possible to reduce the web-attack surface.
- **Browser Security:** Avoid clicking unsolicited links and browsing untrusted websites.
## Detection
- **Indicators of Compromise:** Unusual battery drain, unexpected device reboots, or unauthorized data transfers.
- **Detection Methods:** Mobile Security/EDR solutions (e.g., iVerify) can detect indicators of these specific exploit kits on the device.
## References
- Apple Support Document: hxxps[://]support[.]apple[.]com/en-us/126776
- iVerify Research: hxxps[://]iverify[.]io/blog/darksword-ios-exploit-enterprise-risk
- Vendor Advisory: hxxps[://]thehackernews[.]com/2026/03/apple-issues-security-updates-for-older[.]html