Apple Issues Urgent iOS Update Advisory as Coruna & DarkSword Exploit Kits Target Outdated iPhones
What Happened — Apple announced that iPhones running iOS 13‑17.2.1 are being actively targeted by two sophisticated exploit kits, Coruna (aka CryptoWaters) and DarkSword. The kits deliver web‑based payloads that can bypass Safari’s protections, steal data, and achieve sandbox escapes. Apple released emergency patches on 11 Mar 2026 and urges all users to upgrade.
Why It Matters for TPRM
- Legacy iOS devices in corporate fleets become a direct entry point for credential theft and data exfiltration.
- Exploit‑kit activity spikes after a vendor issues an advisory, increasing the likelihood of successful attacks on unpatched endpoints.
- Third‑party vendors that manage iOS devices (MDM providers, enterprise app developers) inherit the risk and must verify patch compliance.
Who Is Affected — Enterprises across all sectors that allow BYOD or issue iPhones to employees (finance, healthcare, retail, government, etc.).
Recommended Actions
- Force iOS 15 or later via MDM policies; require the March 11 security update for iOS 13‑14 devices.
- Enable Lockdown Mode on high‑risk devices and activate Safari Safe Browsing.
- Conduct an inventory of all iOS assets and verify patch status before the next audit cycle.
Technical Notes — The kits exploit a series of web‑content vulnerabilities (e.g., CVE‑2021‑30952, CVE‑2022‑48503, CVE‑2023‑43000, CVE‑2024‑23222) to achieve read/write access and sandbox escapes. Some components lack CVE identifiers but still perform PAC bypasses. Apple’s updates address the known CVEs and add mitigations for the exploit chains. Source: Security Affairs