As of June 2026, millions of iPhones are still running software older than iOS 26.3, and every one of them carries a vulnerability that Apple itself called part of an “extremely sophisticated attack.” Two leaked exploit kits, tracked by threat intelligence researchers under the names Coruna and DarkSword, continue to target that unpatched code path. The result is a hard line between phones that have been updated and phones that can still be reliably surveilled.
The vulnerability and who confirmed it
The flaw is tracked as CVE-2026-20700 in the National Vulnerability Database. Apple’s own advisory, mirrored in the NVD entry, describes the bug as exploited in an “extremely sophisticated attack.” That phrase is not boilerplate. Apple has historically reserved it for vulnerabilities tied to commercial spyware vendors or state-backed operators, the same category that produced the Pegasus infections documented by Citizen Lab and the Predator campaigns exposed by Google’s Threat Analysis Group in prior years.
The federal government moved quickly. The Cybersecurity and Infrastructure Security Agency added CVE-2026-20700 to its Known Exploited Vulnerabilities Catalog, a list reserved for flaws with confirmed real-world exploitation. Inclusion is not speculative; CISA requires evidence that a vulnerability has been used against actual targets before it qualifies. The catalog’s remediation directive for federal civilian agencies is blunt: “apply mitigations per vendor instructions,” with a binding compliance deadline. For the private sector, that listing functions as a loud signal that the risk has moved well past theoretical.
Apple patched the flaw in iOS 26.3, along with corresponding updates for iPadOS, macOS, watchOS, and visionOS. For anyone who installed the update, the specific code path that Coruna and DarkSword exploit no longer exists on the device. The protection is not partial. The kits target a precise flaw, and once it is patched, the attack chain breaks.
Why older phones are still exposed
The problem sits with every iPhone that has not received iOS 26.3. That includes two groups: owners who simply have not tapped “Update” yet, and owners whose hardware cannot run iOS 26 at all. Apple dropped support for iPhone SE (1st generation), iPhone 6s, iPhone 6s Plus, and iPhone 7 series when it released iOS 26. Those devices are permanently locked to iOS 25 or earlier, and no future patch will reach them for this vulnerability.
For the first group, the fix is straightforward but time-sensitive. For the second, the calculus is harder. A phone that will never receive the patch should be treated as compromised-capable for any sensitive use: corporate email, government systems, encrypted messaging, financial accounts. That does not mean the device is worthless, but it does mean its role should shrink to tasks where surveillance carries lower consequences.
What Coruna and DarkSword actually are (and are not)
Both names circulate in threat intelligence channels and security research discussions, but no independent research group has published a full technical teardown of either kit. No peer-reviewed paper, no government-sponsored analysis, and no vendor threat report has laid out the exploit chains, persistence mechanisms, or data exfiltration methods in detail. Researchers have referenced the kits by name and linked them to CVE-2026-20700, but the specifics of what they collect and how they maintain access remain opaque in public literature.
“We can confirm the kits exist and that they automate exploitation of CVE-2026-20700, but nobody in the public research community has had the access or the time to produce a full-chain teardown yet,” said one mobile threat analyst at a major endpoint security firm who spoke on condition of anonymity because their employer had not authorized public comment. “What we do know is that the exploit is reliable. It is not a proof-of-concept that crashes half the time. It works.”
That gap matters. Without published indicators of compromise or detection signatures beyond what Apple’s patch addresses, independent defenders have limited tools to identify infections after the fact. It also means that claims about the kits’ full capabilities should be treated with appropriate caution. The kits are real enough to be discussed across multiple credible threat intelligence sources, but the depth of public evidence does not yet match the severity of the headlines.
What is clear is the direction of the threat. When exploit code leaks from a sophisticated developer, whether a commercial spyware vendor or a state-sponsored lab, the skill barrier for using it drops. Operators who could not have discovered the vulnerability independently can now deploy a packaged attack. The pool of people capable of running these kits is wider today than it was before the leak, and it will stay that way until the vulnerable device population shrinks through updates or hardware retirement.
Open questions that still need answers
No public data exists on how many devices have been compromised through Coruna or DarkSword since the kits leaked. Neither Apple nor CISA has released post-leak exploitation telemetry, leaving analysts without a way to estimate infection volume or identify which regions or user groups face the highest concentration of attacks.
Federal patching compliance is another blind spot. CISA’s catalog sets deadlines, but no public audit has confirmed whether agencies met the remediation window for CVE-2026-20700. Past inspector general reports on federal patch management have documented uneven compliance across departments, and there is no evidence this cycle was different.
The origin story of the two kits also remains unresolved. If they were developed by a single commercial spyware firm and then leaked, the capabilities are likely finite and will degrade as patches spread. If they were assembled independently from shared exploit research, the underlying technique could resurface in new tools even after Coruna and DarkSword lose effectiveness. That distinction shapes how long the threat persists and how broadly it could evolve.
What to do right now
If your iPhone supports iOS 26: Open Settings, tap General, tap Software Update, and install iOS 26.3 or later immediately. This is not a routine maintenance task. It closes the exact vulnerability that weaponized kits are actively exploiting.
If your iPhone is stuck on iOS 25 or earlier: Stop using it for anything sensitive. Do not access corporate email, government portals, encrypted messaging apps, or financial accounts from a device that will never receive this patch. Shift those activities to hardware that can run current software. If replacing the phone is not immediately possible, minimize its exposure by keeping it off networks where it could be targeted and avoiding clicking links from unknown senders.
If you manage a fleet of Apple devices: Inventory every iPhone and iPad in your organization and flag anything below iOS 26.3. Devices that cannot be updated should be segmented from high-value networks, with access restricted to the minimum necessary. Bring-your-own-device policies may need tightening to exclude unpatched versions or to require mobile device management enrollment and strong authentication as conditions of access. Where mobile threat defense tools are deployed, tune alerting for behaviors typical of surveillanceware: persistent microphone access, frequent location polling, unexplained outbound data transfers.
If you are a high-value target (journalist, activist, executive, government official): Assume that any delay in patching increases personal risk. Use a separate, fully updated device for critical work. Enable a strong alphanumeric passcode rather than a simple PIN. Turn on Lockdown Mode, which restricts attack surfaces by disabling certain features like message link previews and inbound FaceTime calls from unknown contacts. These steps reduce exposure but cannot fully substitute for a patched operating system.
The update gap is the vulnerability now
CVE-2026-20700 is not unusual because of its technical complexity. Sophisticated zero-days surface regularly in Apple’s ecosystem, and the company patches them. What makes this moment different is the combination of a confirmed active exploit, a leaked toolset that lowers the barrier to using it, and a large population of devices that either have not been updated or never can be. The flaw has been fixed. The kits have not stopped working against phones that missed the fix. Every day the gap between those two facts persists, the number of people who can be surveilled through their own pocket stays larger than it needs to be.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
