If you own an iPhone and have not updated its software recently, two exploit kits are hunting for your device right now. Security researchers have identified toolkits codenamed “Coruna” and “DarkSword” that chain together flaws in Apple’s WebKit browser engine to break into iPhones running iOS versions as old as 13 and as recent as 18.7. The confirmed anchor of both campaigns is CVE-2024-23222, a WebKit vulnerability that Apple patched in January 2024 but that remains unpatched on millions of older devices that no longer receive regular software updates. As of June 2026, the kits are still being used against real targets, and the window of exposure for users on legacy iPhones shows no sign of closing.
What has been confirmed
CVE-2024-23222 is a “type confusion” bug in WebKit, the engine that powers Safari and every other browser on iOS. In plain terms, the flaw tricks the browser into misidentifying a piece of data, which lets an attacker slip in code that the device then executes as if it were legitimate. Apple acknowledged the vulnerability was “actively exploited” when it shipped fixes in iOS 17.3 and macOS Sonoma 14.3 in January 2024.
Two authoritative U.S. government databases back up the severity. The National Institute of Standards and Technology cataloged the flaw in its National Vulnerability Database with standardized severity scoring. The Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities (KEV) catalog, a list reserved for flaws with reliable evidence of real-world exploitation. Federal civilian agencies that find a vulnerability on the KEV list face mandatory remediation deadlines, but the catalog also serves as a clear signal to private companies and individual users: this threat is not theoretical.
Google’s Threat Analysis Group tied CVE-2024-23222 directly to the Coruna exploit chain, confirming the flaw was delivered against real targets rather than discovered only in a lab. According to Google’s analysis, Coruna does not stop at crashing a browser. It uses the initial WebKit foothold as a stepping stone, chaining it with additional privilege-escalation steps to burrow deeper into the operating system, where it can install persistent surveillance tools or siphon data from the device.
The WebKit attack surface is especially broad because of an Apple platform rule: every browser on iOS, whether Safari, Chrome, Firefox, or any in-app web view, must use WebKit as its rendering engine. (A limited exception exists in the European Union under the Digital Markets Act, but the vast majority of iPhones worldwide still operate under this restriction.) That means a single WebKit flaw can be triggered through virtually any app that displays web content.
DarkSword follows a similar playbook, targeting the same WebKit weakness across overlapping iOS versions. Both kits appear engineered for broad compatibility, functioning on devices as old as the iPhone 6s (stuck on iOS 15) and as new as the iPhone 15 and 16 lineups running iOS 18.7. That range, covering roughly seven years of Apple software, suggests the developers invested significant effort in testing against Apple’s evolving security mitigations across multiple hardware generations.
What remains uncertain
The sourcing behind these two kits is not equal, and readers should weigh them accordingly. Coruna has the stronger paper trail: Google’s Threat Analysis Group linked it to CVE-2024-23222 with direct evidence of in-the-wild exploitation, and that CVE is independently confirmed by both CISA and NIST. DarkSword’s specific CVE linkages, beyond the shared WebKit flaw, rest on reporting from commercial security vendors rather than on an official government record or a named primary research publication. The connection is plausible but not independently verified to the same standard.
Apple has not issued a public statement detailing the full scope of iOS versions targeted by either kit. The company patched CVE-2024-23222 for devices capable of running iOS 17.3 and later, and it has historically backported critical fixes to older branches (shipping iOS 15.8.x and iOS 16.7.x security updates well after those versions left mainline support). However, Apple has not clarified whether a backport for this specific flaw reached every still-active older version, leaving a large population of iPhones in an ambiguous position.
How the kits reach their targets is also only partially documented. Security researchers have described watering-hole attacks (compromised websites that silently serve exploits to visitors) and targeted links as likely delivery methods. But no primary research dataset has quantified the number of compromised devices or mapped where victims are located. Without that data, it is impossible to say whether these kits are fueling broad criminal campaigns, tightly focused espionage operations, or some combination.
Claims of nation-state involvement draw on contextual analysis from threat intelligence firms, not on named government attributions or court filings. Analysts infer state backing from clues like infrastructure reuse, victim profiles, and tool sophistication, but those inferences fall short of the evidentiary bar set by a law enforcement indictment or a formal public attribution. Readers should treat geopolitical narratives around Coruna and DarkSword as informed hypotheses, not settled conclusions.
How to evaluate the evidence yourself
The evidence breaks into two tiers. The first and strongest consists of primary government records. CISA’s KEV catalog and NIST’s National Vulnerability Database both confirm CVE-2024-23222 as a real, exploited flaw with standardized severity metrics and remediation guidance. Their inclusion criteria require demonstrated exploitation, not just proof-of-concept code. If you are trying to gauge whether this threat is real, those entries are the floor of confirmed risk.
The second tier consists of vendor threat intelligence, primarily from Google’s Threat Analysis Group and, for DarkSword, from commercial security firms. These reports provide valuable operational detail (exploit chain mechanics, target profiles, attribution hypotheses) but reflect each vendor’s own telemetry. Google’s findings, for example, draw heavily on data from Chrome, Android, and its own monitoring infrastructure. That does not make them unreliable, but it does mean the picture is shaped by what each organization can observe.
Notably absent from the evidence base are direct statements from Apple confirming the scope of targeting, internal telemetry on exploitation attempts, or a public accounting of exactly which devices received patches and which did not. Apple’s security advisories typically acknowledge that a vulnerability “may have been actively exploited” but rarely disclose the scale or attribution of attacks. That reticence is standard for the company, though it forces users and IT teams to rely on third-party researchers for the threat context Apple itself does not provide.
What iPhone owners should do now
If your iPhone can run iOS 17.3 or later, the single most important step is to open Settings, tap General, then Software Update, and install whatever is available. Apple patched CVE-2024-23222 in that release, and subsequent updates have addressed additional WebKit flaws. Keeping current is the most reliable defense.
If your device has reached its end of supported updates and is stuck on iOS 15 or iOS 16, the risk calculation gets harder. You are carrying a phone with a known, exploited browser-engine flaw that sophisticated attackers are actively leveraging. Short of replacing the hardware, partial mitigations can help: avoid tapping links from unknown senders, limit the use of in-app browsers for sensitive tasks, and consider disabling JavaScript in Safari’s settings for high-risk browsing. None of these steps eliminate the vulnerability, but they shrink the attack surface.
Organizations managing mixed device fleets should audit which iOS versions are active on their networks. Mobile device management (MDM) policies can restrict older, unpatched iPhones from accessing sensitive corporate resources, effectively quarantining higher-risk devices from critical data. Monitoring the KEV catalog and the NVD for new Apple entries tied to WebKit should be a standing task for any security team responsible for iOS endpoints.
The deeper problem Apple has not addressed
For security professionals, the Coruna and DarkSword campaigns are less about a single CVE and more about a structural dependency baked into Apple’s platform. As long as every iOS browser shares a common WebKit core, any serious engine-level flaw will ripple across the entire ecosystem, hitting hardest the users who cannot or do not update promptly.
These campaigns also spotlight a policy question that Apple has so far declined to answer directly: how long should a vendor provide security patches for mobile operating systems that remain widely deployed but are no longer sold? Apple has occasionally backported critical fixes to older iOS branches, but it has never published a formal support lifecycle policy comparable to what Microsoft maintains for Windows. Until that changes, millions of older iPhones will occupy an uncomfortable middle ground: still functional, still connected, still browsing the web through a rendering engine with known holes, and still waiting for a patch that may or may not arrive.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
