If you are still carrying an iPhone that no longer receives iOS updates, the federal government now considers your device a confirmed target. In late May 2026, the Cybersecurity and Infrastructure Security Agency added a newly disclosed iOS vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, a list CISA reserves exclusively for flaws that have already been used against real targets in the wild. Every civilian federal agency must now patch or pull affected devices by a hard deadline. Consumers running the same outdated software have no such safety net.
Apple confirmed the flaw in a security advisory and released patches for currently supported iPhone models. But devices stuck on iOS 15 or earlier, including the iPhone 7 and older, will not receive a fix. Those phones remain permanently exposed.
What the federal record confirms
The vulnerability, a memory-corruption flaw in WebKit that can be triggered through maliciously crafted web content, earned a high-severity rating in the National Vulnerability Database maintained by the National Institute of Standards and Technology. Its addition to the KEV catalog is significant because CISA applies strict evidentiary criteria: a flaw only qualifies after the agency has reliable evidence of active exploitation, not just a proof-of-concept demo in a research lab.
Once a vulnerability enters the KEV catalog, federal agencies face a binding remediation deadline under Binding Operational Directive 22-01. Automated scanning tools flag unpatched systems, compliance officers track progress, and devices that cannot be updated get pulled from service. That pipeline has measurably shortened the gap between disclosure and remediation on government networks over the past several years. The problem is that it stops at the agency firewall.
Where ‘Coruna’ and ‘DarkSword’ fit in
Private threat-intelligence firms tracking exploitation of this flaw have linked probe activity to two exploit kits known in research circles as Coruna and DarkSword. Analysts at multiple firms have attributed the operators behind those kits to groups with assessed ties to Russian and Chinese state interests, consistent with a long pattern of both countries’ intelligence services stockpiling iOS zero-days and near-zero-days for surveillance operations.
That attribution carries an important caveat. Neither CISA nor Apple has publicly named nation-state actors in connection with this specific vulnerability. Government vulnerability databases deliberately avoid actor attribution in individual entries; that level of detail typically surfaces later through classified briefings, private-sector threat reports, or law-enforcement indictments. The Coruna and DarkSword links should be treated as informed, credible assessments from the threat-intelligence community rather than confirmed government findings.
What lends weight to those assessments is context. Russian-linked groups have repeatedly targeted iOS through zero-click exploits delivered via iMessage and WebKit, as documented in Kaspersky’s Operation Triangulation research and in findings published by Google’s Threat Analysis Group. Chinese-linked operators have similarly exploited WebKit flaws to target journalists, dissidents, and Uyghur communities, according to reports from Citizen Lab at the University of Toronto. The pattern is well established even when the specifics of a single campaign remain under analysis.
Why older iPhones bear the greatest risk
Apple supports each iPhone model with software updates for roughly five to six years after release. Once a device falls off the supported list, it stops receiving security patches entirely. As of June 2026, models including the iPhone 7, iPhone 6s, and the original iPhone SE no longer qualify for any iOS updates. According to Apple’s own install-base data, a meaningful share of active iPhones worldwide still run iOS versions that are at least two major releases behind the current version, placing tens of millions of devices in the permanently vulnerable category.
Those users face a structural disadvantage. When Apple patches a WebKit flaw for iOS 17 or iOS 18, the patch notes effectively serve as a roadmap for attackers. Exploit developers can reverse-engineer the fix, confirm the bug still exists on older firmware, and build reliable exploits against devices that will never be updated. Security researchers call this “patch-gapping,” and it turns every new advisory into a countdown clock for anyone on unsupported hardware.
The gap between federal and consumer protection
When CISA sets a remediation deadline, agencies act. They have budgets, compliance teams, and procurement channels designed to close exactly this kind of gap. Individual iPhone owners have none of that infrastructure. Many do not know the vulnerability exists. Many do not realize their device has aged out of security support. And even those who do understand the risk face a blunt reality: the only true fix is replacing the phone, a cost that federal procurement budgets absorb easily but that millions of consumers weigh against rent, groceries, and other priorities.
That asymmetry is not new, but this latest KEV entry puts it in sharp relief. The federal government has decided the flaw is dangerous enough to require emergency action on every affected agency device. The same flaw exists on consumer phones that will never see a patch. No federal mandate covers those devices, and no automated compliance scan will flag them.
What at-risk users should do right now
If you are unsure whether your iPhone still receives updates, open Settings > General > Software Update. If the device shows no pending update and your iOS version number is more than one major release behind the current version (iOS 18 as of June 2026), your phone is likely outside Apple’s active support window.
At that point, the safest move is upgrading to a supported device. But if that is not immediately possible, several steps can reduce your exposure while the phone remains in use:
- Disable iMessage and FaceTime. Many iOS exploit chains in recent years have used the messaging stack as an entry point, including zero-click attacks that require no interaction from the victim.
- Limit app installs. Stick to well-known apps and avoid sideloaded profiles. Fewer installed components means fewer potential targets in an exploit chain.
- Turn off Bluetooth and Wi-Fi in public spaces when you are not actively using them. This blunts proximity-based attack vectors.
- Move sensitive accounts to a supported device. If you keep the older phone for casual use, shift banking apps, email, and authentication apps to hardware that still receives patches.
- Enable hardware security keys or app-based multi-factor authentication on your most important accounts. This limits the damage even if the older device is compromised.
None of these steps fixes the underlying vulnerability. Each one simply makes successful exploitation harder and limits the blast radius if an attacker does get through.
A policy gap that keeps widening
Every time a new iOS flaw lands in the KEV catalog, the same split plays out: rapid containment on government networks, quiet exposure on millions of aging consumer devices. Apple has gradually extended its support windows and occasionally backported critical fixes to older iOS branches, but the company has not committed to a formal end-of-life security policy that would give consumers a clear timeline for when their device becomes a liability.
Until that changes, each new catalog entry will carry a dual life. For federal agencies, it is a compliance task with a deadline and a budget line. For the person still pocketing an iPhone 7 on the subway, it is a risk they probably do not know they are carrying.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
