Meta News

Feds Take Notice of iOS Vulnerabilities Exploited Under Mysterious Circumstances

Summary: The Cybersecurity and Infrastructure Security Agency (CISA) has added three iOS vulnerabilities to its catalog of known exploited vulnerabilities, following a 10-month hacking campaign using the Coruna exploit kit.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch three critical iOS vulnerabilities that were exploited over a 10-month span in hacking campaigns conducted by three distinct groups. The hacking campaigns came to light on Thursday, as reported by Google. All three campaigns used Coruna, the name of an advanced hacking kit that amassed 23 separate iOS exploits into five potent exploit chains. While some of the vulnerabilities had been exploited as zero-days in earlier, unrelated campaigns, all had been patched by the time Google observed them being exploited by Coruna. Despite this, when used against older iOS versions, the kit still posed a significant threat due to the high quality of the exploit code and its broad range of capabilities.

The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, according to Google researchers. The exploits feature extensive documentation, including docstrings and comments written entirely in English. The most advanced ones use non-public exploitation techniques and bypass defenses such as pointer authentication code. On Friday, CISA added three of the vulnerabilities to its catalog of known exploited vulnerabilities. This entry requires all federal agencies under CISA’s authority to patch the vulnerabilities. CISA also advised other organizations to do the same. The exploits work on iOS versions 13 through 17.2.1; versions beyond 17.2.1 are not vulnerable. The exploits do not activate when Apple Lockdown is enabled or if a browser is set to private browsing.

Advanced capabilities of Coruna include a novel JavaScript framework that uses unique obfuscation methods to evade detection and reverse engineering. When activated, this framework runs a fingerprinting module to gather information about the device. Based on these results, it then loads an appropriate WebKit exploit followed by a bypass for pointer authentication code.

Coruna is notable for its use by three distinct hacking groups. Google first detected its use in February of last year in an operation conducted by a

Key facts

  • CISA added three iOS vulnerabilities to its catalog of known exploited vulnerabilities.
  • The hacking campaigns used the Coruna exploit kit, which contained 23 separate iOS exploits.
  • Three distinct hacker groups exploited these vulnerabilities over a 10-month period.

Why it matters

This incident highlights the ongoing threat from zero-day exploits and the importance of timely patching in cybersecurity. The use of Coruna by multiple groups also suggests an active market for 'second-hand' zero-day exploits, which could have significant implications for both government and private organizations.

Tags:
cybersecurity iOS vulnerability Coruna hacking kit zero-day

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source

Source: https://arstechnica.com/security/2026/03/cisa-adds-3-ios-flaws-to-its-catalog-of-known-exploited-vulnerabilities/

Published on