If your iPhone or iPad is not running the latest software update, two exploit kits are built to take advantage of that. The toolkits, tracked under the names “Coruna” and “DarkSword,” target Apple devices running iOS versions 13 through 18.7, according to federal vulnerability records and associated threat intelligence reporting. The U.S. government has confirmed that the underlying vulnerabilities are being exploited right now, not theoretically, not in a lab.
On March 5, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added at least two associated vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies until March 26, 2026, to patch or mitigate. That three-week window tells you something about how seriously the government is treating this. For the hundreds of millions of non-federal iPhone owners, there is no binding deadline. The urgency is yours to decide.
What the government’s own records show
The core evidence sits in two entries in the National Vulnerability Database, maintained by the National Institute of Standards and Technology (NIST).
The first is CVE-2023-41974, a use-after-free flaw. In plain terms, this is a memory-handling bug: after a device frees up a block of memory, an attacker can trick the system into reusing that space to run malicious code. It is a well-understood class of vulnerability, and in this case it can allow an attacker to execute arbitrary code on a target iPhone or iPad. The NVD entry for this CVE includes references that have been linked to Coruna-related reporting in its citation list, connecting this flaw to the exploit kit’s operational use. (Note: NVD reference lists compile relevant external sources but do not constitute editorial endorsements of the claims made in those sources.)
The second is CVE-2021-30952, a WebKit integer overflow bug originally disclosed years earlier. An integer overflow occurs when a calculation produces a number too large for the system to store correctly, which can be manipulated to corrupt memory and gain control of a process. This CVE also appears in CISA’s KEV catalog, and its NVD record cites a blog post from Google’s Threat Intelligence Group (GTIG) that discusses Coruna. The fact that both a 2021-era and a 2023-era vulnerability appear in the same catalog update suggests that whoever operates Coruna is chaining older, sometimes overlooked bugs with newer ones to build reliable attack paths across multiple iOS generations.
Inclusion in the KEV catalog is not a theoretical warning. CISA only adds vulnerabilities when there is evidence of active exploitation, not just proof-of-concept code. Federal civilian agencies face binding operational directives to remediate within the stated deadline. For everyone else, the catalog functions as the closest thing to a government-backed alarm for specific software flaws.
What this means for your devices
The affected iOS range of 13 through 18.7 is drawn from the CVE descriptions and associated threat intelligence reporting, though no single primary source has published a definitive list of every affected version. That range spans hardware going back to the iPhone 6s (released in 2015) and includes models still in wide daily use. But there is an important distinction: older devices like the iPhone 6s and iPhone 7 stopped receiving major iOS updates after iOS 15 and iOS 16, respectively. If you are using one of those phones, you may not be able to install a patch that addresses these flaws at all. That is not a hypothetical inconvenience. It means those devices carry a permanently elevated risk for these specific vulnerabilities.
For anyone on a device that does support the latest iOS release, the most direct action is to update. Delaying updates for weeks or months keeps the door open to attack vectors the government has already confirmed are in active use.
What remains unclear
Several significant gaps exist in the public record, and they matter.
The specific KEV addition date of March 5, 2026, and the March 26, 2026, remediation deadline are consistent with CISA’s standard 21-day remediation windows and are reported based on NVD catalog records. Readers who want to independently verify these dates can check the KEV catalog directly.
The “DarkSword” name appears in secondary reporting but lacks the same level of direct attribution in primary government databases that Coruna has. Whether DarkSword is a separate toolkit, a module within Coruna, or simply a different label applied by a different research group has not been clarified by any official U.S. agency record available as of June 2026. This is not unusual in cyber threat intelligence, where different vendors frequently coin their own names for overlapping toolsets. Some labels converge over time as technical details are cross-referenced; others quietly disappear.
Apple has not publicly detailed the full scope of either exploit kit’s capabilities or confirmed which device models face the greatest risk beyond the iOS version range. The company’s standard practice is to release security advisories tied to individual CVEs without naming the broader exploit frameworks that chain them together. That approach leaves a gap between what vulnerability researchers and government agencies describe and what Apple communicates directly to customers.
The scale of exploitation is also unknown. CISA’s KEV catalog confirms that attacks are happening but does not publish data on how many devices have been compromised, which regions are most affected, or whether the campaigns are narrowly targeted (aimed at journalists, activists, or government officials, as is common with commercial spyware) or broadly opportunistic. Threat intelligence firms sometimes fill this gap, but their reports are often behind paywalls or released on delayed timelines.
Perhaps most critically, the identity and motivation of the operators remain opaque. The GTIG connection raises questions about whether Coruna is linked to the commercial surveillance industry, state-sponsored hacking, or something else entirely. The public record does not yet answer that question.
How to weigh the sourcing
Not all of the evidence here carries equal weight, and readers should know the difference.
The NVD, operated by NIST’s Information Technology Laboratory, is the U.S. government’s primary repository for vulnerability management data. When an NVD entry states that a CVE has been added to the KEV catalog on a specific date, that is a primary-source fact with institutional accountability behind it. These records are cross-referenced with CISA’s operational catalogs and used as the basis for compliance requirements across government and critical infrastructure.
The GTIG blog post cited in the CVE-2021-30952 record is a different tier. It is a research publication from Google’s threat intelligence arm, not a government determination. Its inclusion in the NVD’s reference list gives it institutional weight (NVD analysts chose to cite it), but it remains an analytical product. Claims drawn from it should be understood as informed analysis, not confirmed government findings.
Any reporting that uses the “DarkSword” label without tying it to a specific CVE or government record should be treated with additional caution until it appears in an NVD entry, a CISA advisory, or a peer-reviewed technical paper.
What to do about it
For individual users: open Settings, tap General, then Software Update. If an update is available, install it. If your device is too old to receive the latest iOS version, consider limiting sensitive activities on that phone, particularly banking, accessing work accounts, or handling confidential communications.
For organizations managing fleets of Apple devices: vulnerabilities listed in the KEV catalog, including those tied to Coruna, should sit at the top of any remediation queue. Mobile device management platforms can enforce minimum OS versions, block access from unpatched devices to internal resources, and flag anomalous behavior that might indicate compromise. Rapid patching sometimes conflicts with the need to test updates against internal apps, but the KEV listing changes the calculus. Known, actively exploited flaws take priority.
Why mobile exploit kits deserve the same attention as desktop threats
The Coruna and DarkSword reporting fits a pattern that has been building for years: sophisticated exploit development increasingly targets mobile operating systems, not just Windows or macOS. The assumption that iPhones are inherently safer or less interesting to attackers has not held up against the evidence. Commercial spyware vendors like NSO Group demonstrated years ago that iOS exploitation is both technically feasible and commercially valuable. The presence of Coruna-linked CVEs in a federal catalog of actively exploited vulnerabilities reinforces that smartphones are high-value targets, treated with the same seriousness as enterprise servers or desktop endpoints.
Until more technical details become public, the most effective defenses remain straightforward: keep your software current, treat unexpected links and attachments with skepticism, and understand that when the government adds a vulnerability to its exploited-in-the-wild catalog, it is describing something that is happening now, to real devices, operated by real people.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
