Federal Agencies Alerted to Critical iOS Exploits Amidst Mysterious Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies address three critical iOS vulnerabilities that have been exploited in hacking campaigns over a 10-month period. These campaigns, involving three distinct groups, were detailed in a report by Google. The exploits, part of a sophisticated hacking kit named Coruna, include 23 separate iOS exploits organized into five powerful exploit chains. Although some vulnerabilities had been previously exploited as zero-days, all were patched by the time Google identified their use in Coruna. However, the kit remains a significant threat to older iOS versions due to its advanced exploit code and wide-ranging capabilities.

Coruna's technical prowess lies in its extensive collection of iOS exploits, which are thoroughly documented with English comments and docstrings. The most advanced exploits utilize non-public techniques and mitigation bypasses. CISA has added three of these vulnerabilities to its catalog of known exploited vulnerabilities, requiring federal agencies to implement patches. The vulnerabilities affect iOS versions 13 to 17.2.1, with versions beyond 17.2.1 being secure. The exploits are ineffective when Apple Lockdown is activated or when a browser is set to private browsing mode.

Coruna is notable for its use by three distinct hacking groups. Google first observed its use in February of last year by a client of a surveillance vendor. In July 2025, a suspected Russian espionage group exploited another vulnerability to target Ukrainian websites. By December, a financially motivated Chinese threat actor had utilized the kit, allowing Google to retrieve the complete exploit kit.

The proliferation of these exploits suggests an active market for "second hand" zero-day exploits. Google researchers discovered that multiple threat actors have acquired advanced exploitation techniques that can be adapted for new vulnerabilities. Upon analyzing the retrieved exploits, Google found a debug version of the kit, revealing its internal code names and confirming its name as Coruna. The kit targets various iPhone models running iOS versions from 13.0 to 17.2.1.

The 23 exploits include various types such as WebContent read/write, PAC bypass, sandbox escape, and PPL bypass, each targeting specific iOS versions. CISA has specifically highlighted three CVEs: CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000, urging agencies to apply vendor-recommended mitigations or discontinue use if mitigations are unavailable. These vulnerabilities are frequent targets for malicious cyber actors and pose significant risks to federal operations.