HomeIntelligenceBrief
🛡️ VULNERABILITY BRIEF🟠 High🛡️ Vulnerability

CISA Orders Federal Agencies to Patch Actively Exploited DarkSword iOS Vulnerabilities Affecting iOS 18.4‑18.7

CISA added three DarkSword‑related iOS vulnerabilities to its actively exploited catalog and issued a binding directive for federal agencies to patch iOS 18.4‑18.7 devices by April 3, 2026. The flaws enable sandbox escape, privilege escalation, and remote code execution, and have been leveraged by nation‑state linked threat groups.

🛡️ LiveThreat™ Intelligence · 📅 March 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🛡️
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

CISA Orders Federal Agencies to Patch Actively Exploited DarkSword iOS Vulnerabilities Affecting iOS 18.4‑18.7

What Happened — CISA added three of six DarkSword‑related iOS flaws (CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520) to its catalog of actively exploited vulnerabilities and issued a Binding Operational Directive requiring all Federal Civilian Executive Branch agencies to apply Apple’s patches for iOS 18.4‑18.7 by April 3, 2026. The flaws enable sandbox escape, privilege escalation, and remote code execution and have been leveraged by the DarkSword exploit kit in crypto‑theft and cyber‑espionage campaigns.

Why It Matters for TPRM

- Active exploitation means any unpatched iOS device in your supply chain is a viable entry point for espionage or data‑theft malware.

- Government‑mandated remediation timelines highlight the urgency; delays can expose third‑party data to nation‑state actors.

- The exploit kit is linked to multiple threat groups (UNC6748, UNC6353), indicating a broader, multi‑vector risk to vendors and partners that rely on iOS devices.

Who Is Affected — Federal agencies, contractors, and any organization that issues iOS 18.4‑18.7 devices to employees, contractors, or customers (e.g., healthcare, finance, manufacturing, SaaS providers).

Recommended Actions

  • Verify that all iOS devices used by your organization are running Apple’s latest iOS version (≥ 18.8) or have the specific patches applied.
  • Conduct an inventory of iOS assets and map them to third‑party risk registers.
  • Review mobile device management (MDM) policies to enforce timely patch deployment and disable legacy iOS versions.
  • Monitor for indicators of compromise associated with GhostBlade, GhostKnife, and GhostSaber malware families.

Technical Notes — The six CVEs span sandbox escape (CVE‑2025‑31277), privilege escalation (CVE‑2025‑43529), and remote code execution (CVE‑2026‑20700). Exploited via the DarkSword delivery framework, the kit drops JavaScript‑based infostealers (GhostBlade, GhostSaber) and the GhostKnife backdoor. All flaws were patched by Apple; only devices stuck on iOS 18.4‑18.7 remain vulnerable. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-darksword-ios-flaws-exploited-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →