Zero‑Day iOS Exploit Kit “DarkSword” Chains Six Vulnerabilities to Achieve Remote Code Execution on iPhones
What Happened — Google Threat Intelligence Group and iVerify disclosed a new iOS exploit kit, DarkSword, active since November 2025. It strings together six zero‑day flaws (three WebKit, two kernel, one dyld) to gain privileged code execution and exfiltrate data from vulnerable iPhones. Apple has since patched all six flaws across iOS 18.6‑18.7.3 and iOS 26.x releases.
Why It Matters for TPRM
- State‑linked and commercial surveillance actors are already weaponising the kit, indicating a high‑value, nation‑state threat surface.
- Any third‑party service that supplies iOS devices, mobile‑app development, or BYOD programs inherits the same exposure.
- Unpatched devices can be turned into data‑exfiltration points, compromising corporate secrets, credentials, and personal data.
Who Is Affected — Enterprises with iOS device fleets (finance, healthcare, government, tech), mobile‑app vendors, and any MSP/MSSP managing iOS endpoints.
Recommended Actions
- Verify that all iOS devices are running the latest patched versions (iOS 18.7.3 or later, iOS 26.3 or later).
- Accelerate patch deployment for any out‑of‑date devices; enforce mandatory updates via MDM.
- Review third‑party contracts for mobile‑device management and endpoint‑security services; ensure they include zero‑day remediation clauses.
- Conduct threat‑modeling for web‑content delivery paths (e.g., Safari iframe injection) and block suspicious domains (e.g.,
cdncounter.net).
Technical Notes — DarkSword exploits CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520, CVE‑2025‑43529, CVE‑2025‑14174 (WebKit) and CVE‑2026‑20700 (dyld). The chain begins with a malicious iframe served over compromised Ukrainian sites, triggers Safari, then escalates via kernel and dyld bugs to run a JavaScript‑based infostealer. Source: Help Net Security