Two leaked iPhone exploit kits are now circulating beyond the hands of the surveillance vendors that originally built them, and every iPhone running software older than iOS 26.2 is a potential target. The kits, known in security research circles as “Coruna” and “DarkSword,” exploit a vulnerability tracked as CVE-2025-43510, which Apple patched in its iOS 26.2 release. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and, under Binding Operational Directive 22-01, ordered all federal civilian agencies to apply the fix by a set deadline. That directive is reserved for vulnerabilities CISA has evidence are being exploited in real-world attacks right now.
What makes this situation unusually dangerous is accessibility. Prior iOS zero-days typically stayed in the arsenals of well-funded intelligence services or commercial spyware firms. Once an exploit kit leaks, the skill and budget required to use it drop sharply. A broader pool of attackers, from financially motivated criminals to lower-tier surveillance operators, can pick up the tools and deploy them against ordinary people.
What the primary sources confirm
The verified core of this story rests on three interlocking sources. First, the National Vulnerability Database (NVD) entry maintained by NIST serves as the root record. It indexes the vulnerability, links to Apple’s vendor advisories confirming which products and software versions are affected, and references a technical analysis of DarkSword published by Google’s Threat Intelligence Group (GTIG).
Second, Apple’s own security advisories, linked from the NVD entry, confirm that iOS 26.2 closes the hole. Any iPhone still running an earlier release remains exposed. Apple has not publicly disclosed how many devices have been compromised or how many users have updated, which is consistent with the company’s longstanding practice of limiting disclosure to affected products and patch availability.
Third, CISA’s KEV catalog entry provides a policy signal with teeth. When CISA adds a vulnerability to the KEV, it means the agency has sufficient evidence of active exploitation to compel federal remediation. The listing does not quantify the scale of attacks or name specific threat actors, but it functions as an institutional confirmation that exploitation is not theoretical.
GTIG’s DarkSword write-up, referenced within the NVD record, offers the most detailed public look at how the exploit chain works. That analysis establishes DarkSword as a structured kit, not a one-off proof of concept, and its inclusion in the NVD’s reference list gives it institutional weight beyond a standalone research blog post.
Where the picture is still incomplete
Important gaps remain, and readers should weigh them before accepting every detail circulating online.
The leak itself is unattributed. No primary source, not Apple, not CISA, not GTIG, has confirmed who leaked the Coruna and DarkSword kits, when the leak happened, or through what channel the tools spread. Secondary cybersecurity outlets have pointed to dark-web dumps, but those accounts rely on anonymous forum posts and unverifiable screenshots rather than forensic findings from law enforcement or named researchers.
Coruna has thinner documentation than DarkSword. The NVD record references GTIG’s analysis of DarkSword but includes no comparable technical reference for Coruna. Whether Coruna exploits the same CVE, uses a separate vulnerability chain, or is simply a repackaged variant of DarkSword is not established in any primary record available as of June 2026. Claims about Coruna’s specific capabilities or pricing should be treated as unverified.
Infection numbers do not exist in any official source. Neither the NVD nor CISA publishes exploitation statistics. Any specific figures for compromised devices that appear in secondary coverage lack an institutional anchor.
Underground pricing is speculative. Some reports have cited dollar amounts for what DarkSword sells for on closed marketplaces. No official vendor, law enforcement, or institutional analysis reviewed here confirms a specific price.
What iPhone owners should do right now
The practical response is simple even though the technical picture is still developing: update to iOS 26.2 or later immediately. Apple’s advisories confirm this release contains the security fix for CVE-2025-43510. To check your current version, open Settings → General → Software Update and install any available update.
Beyond updating, basic mobile hygiene reduces exposure to the delivery methods exploit kits typically rely on:
- Do not tap links or open attachments from unknown senders. Most mobile exploit chains need the target to visit a malicious page or interact with a crafted message at least once.
- Avoid sideloaded configuration profiles and untrusted enterprise certificates. These are common vectors for installing persistent payloads outside the App Store’s review process.
- Be skeptical of unexpected prompts requesting device management permissions. Legitimate apps rarely need them; exploit kits often do.
For users who suspect their device may have been compromised before the update was available, a more thorough approach is warranted: create an encrypted backup, perform a factory reset, and restore only from a backup point known to predate any suspicious activity. This can clear persistent artifacts such as malicious profiles or altered settings that survive a simple software update.
What organizations and security teams should prioritize
Enterprises and government agencies face a wider set of obligations. Asset inventories need to accurately identify every managed iPhone running a version below iOS 26.2, and mobile device management (MDM) platforms should enforce a minimum OS version policy as soon as the update is validated for the environment. Because CISA’s KEV listing signals confirmed exploitation, organizations that follow federal cybersecurity guidance should treat this as a priority remediation item, not a routine patch-cycle update.
Security operations teams should review mobile endpoint telemetry for indicators consistent with exploit deployment: unusual browser crashes or restarts, unexpected configuration profile installations, and outbound connections to infrastructure flagged by threat intelligence feeds. While the public GTIG analysis focuses on DarkSword specifically, many behavioral indicators overlap across mobile exploit kits targeting iOS.
High-risk individuals within an organization, such as executives, legal counsel, journalists, or staff with access to sensitive systems, may warrant additional hardening. Options include restricting unmanaged app installation, limiting personal Apple ID use on work devices, enabling Apple’s Lockdown Mode where operationally feasible, and delivering targeted security awareness training focused on mobile phishing and malicious links.
Why this threat is different from past iOS zero-days
iOS vulnerabilities surface regularly, and Apple patches them regularly. What elevates CVE-2025-43510 is the combination of a confirmed active exploit, a leaked toolset that lowers the barrier to entry, and a CISA directive that treats the risk as urgent enough to mandate federal action. That combination is rare.
Most prior iOS zero-days stayed tightly controlled. The operators were typically nation-state intelligence services or commercial spyware vendors like NSO Group, and the targets were specific: journalists, activists, diplomats. A leaked kit changes the economics. When a working exploit chain is available to anyone willing to download it, targeting shifts from surgical to indiscriminate. The attacker no longer needs to justify the cost of a bespoke zero-day against a single high-value target; the tool is already built and free.
That shift is exactly what federal records and GTIG’s analysis point toward. The verified evidence confirms a real vulnerability, a real patch, real exploitation in the wild, and at least one publicly analyzed exploit kit built to take advantage of it. The unverified portions, including the full story behind Coruna, the leak’s origin, and the scale of infections, may become clearer as law enforcement investigations and further technical analyses emerge. Until then, the most reliable defense remains the simplest one: keep your iPhone updated to iOS 26.2 or later, and do not wait.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
