Today's AI/ML headlines are brought to you by ThreatPerspective
Digital Event Horizon

Federal Agencies Alert: Mysterious iOS Vulnerability Exploits Spark Concern Over Security


The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies, advising them to patch three critical iOS vulnerabilities that were exploited by three distinct hacking groups over a 10-month period. The vulnerability, known as Coruna, is an advanced hacking kit that amassed 23 separate iOS exploits into five potent exploit chains.

  • CISA has issued a warning to federal agencies about three critical iOS vulnerabilities (Coruna) that were exploited by multiple hacking groups over a 10-month period.
  • The Coruna exploit kit is considered sophisticated, with a comprehensive collection of iOS exploits and documentation in native English, making it difficult to detect and reverse engineer.
  • Three vulnerabilities (CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000) have been added to CISA's catalog of known exploited vulnerabilities, requiring all federal agencies to patch them.
  • The exploits target iOS versions 13 to 17.2.1 but do not work on newer versions, and some bypass defense mechanisms, such as Apple Lockdown and private browsing.
  • Google researchers have collected samples of the Coruna exploit kit, which highlights an active market for "second-hand" zero-day exploits.
  • The exploitation of Coruna emphasizes the need for ongoing vigilance in the face of emerging threats, and organizations must take proactive measures to protect their devices and data.



    • The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies, advising them to patch three critical iOS vulnerabilities that were exploited by three distinct hacking groups over a 10-month period. The vulnerability, known as Coruna, is an advanced hacking kit that amassed 23 separate iOS exploits into five potent exploit chains.

    According to Google, the core technical value of this exploit kit lies in its comprehensive collection of iOS exploits. The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses. This suggests that Coruna is a sophisticated tool, designed to evade detection and reverse engineering.

    CISA has added three of the vulnerabilities to its catalog of known exploited vulnerabilities, requiring all federal agencies under its authority to patch the vulnerabilities. The agency advises all organizations to do the same. These vulnerabilities work on iOS versions 13 to 17.2.1, but not on newer versions. Additionally, the exploits do not fire when Apple Lockdown is activated or a browser is set to private browsing.

    Advanced capabilities of Coruna include a never-before-seen JavaScript framework that uses a unique obfuscation method to prevent detection and reverse engineering. When activated, the framework runs a fingerprinting module to gather information about a device. Based on the results, the framework would then load a suitable WebKit exploit followed by a bypass for a defense known as pointer authentication code.

    Coruna was first detected by Google in February of last year, when it was used by a "customer of a surveillance vendor." In July 2025, a "suspected Russian espionage group" exploited CVE-2023-43000 in attacks planted on websites that were frequented by Ukrainian targets. Last December, when it was used by a "financially motivated threat actor from China," Google was able to retrieve the complete exploit kit.

    The use of Coruna highlights an active market for "second-hand" zero-day exploits. Multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities. This suggests that the exploitation of vulnerabilities is becoming increasingly sophisticated, making it harder for organizations to stay secure.

    Google researchers collected a few hundred samples covering a total of five full iOS exploit chains. The 23 exploits, along with the code names and other information, are listed below:

    * WebContent R/W
    buffout
    13 → 15.1.1
    15.2
    CVE-2021-30952

    Type
    Codename
    Targeted versions (inclusive)
    Fixed versions
    CVE


    WebContent R/W
    buffout
    13 → 15.1.1
    15.2
    CVE-2021-30952


    WebContent R/W
    jacurutu
    15.2 → 15.5
    15.6
    CVE-2022-48503


    WebContent R/W
    bluebird
    15.6 → 16.1.2
    16.2
    No CVE


    WebContent R/W
    terrorbird
    16.2 → 16.5.1
    16.6
    CVE-2023-43000


    WebContent R/W
    cassowary
    16.6 → 17.2.1
    16.7.5, 17.3
    CVE-2024-23222


    WebContent PAC bypass
    breezy
    13 → 14.x
    ?
    No CVE


    WebContent PAC bypass
    breezy15
    15 → 16.2
    ?
    No CVE


    WebContent PAC bypass
    seedbell
    16.3 → 16.5.1
    ?
    No CVE


    WebContent PAC bypass
    seedbell_16_6
    16.6 → 16.7.12
    ?
    No CVE


    WebContent PAC bypass
    seedbell_17
    17 → 17.2.1
    ?
    No CVE


    WebContent sandbox escape
    IronLoader
    16.0 → 16.3.116.4.0 (<= A12)
    15.7.8, 16.5
    CVE-2023-32409


    WebContent sandbox escape
    NeuronLoader
    16.4.0 → 16.6.1 (A13-A16)
    17.0
    No CVE


    PE
    Neutron
    13.X
    14.2
    CVE-2020-27932


    PE (infoleak)
    Dynamo
    13.X
    14.2
    CVE-2020-27950


    PE
    Pendulum
    14 → 14.4.x
    14.7
    No CVE


    PE
    Photon
    14.5 → 15.7.6
    15.7.7, 16.5.1
    CVE-2023-32434


    PE
    Parallax
    16.4 → 16.7
    17.0
    CVE-2023-41974


    PE
    Gruber
    15.2 → 17.2.1
    16.7.6, 17.3
    No CVE


    PPL Bypass
    Quark
    13.X
    14.5
    No CVE


    PPL Bypass
    Gallium
    14.x
    15.7.8, 16.6
    CVE-2023-38606


    PPL Bypass
    Carbone
    15.0 → 16.7.6
    17.0
    No CVE


    PPL Bypass
    Sparrow
    17.0 → 17.3
    16.7.6, 17.4
    CVE-2024-23225


    PPL Bypass
    Rocket
    17.1 → 17.4
    16.7.8, 17.5
    CVE-2024-23296

    CISA is adding only three of the CVEs to its catalog, which are:

    CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
    CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
    CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability

    These vulnerabilities pose significant risks to the federal enterprise, and organizations are advised to take immediate action to patch them. The agency warns that these types of vulnerabilities are frequent attack vectors for malicious cyber actors.

    In conclusion, the exploitation of Coruna highlights the need for ongoing vigilance in the face of emerging threats. Organizations must stay vigilant and take proactive measures to protect their devices and data from sophisticated attacks like this one.



    Related Information:
  • https://www.digitaleventhorizon.com/articles/Federal-Agencies-Alert-Mysterious-iOS-Vulnerability-Exploits-Spark-Concern-Over-Security-deh.shtml

  • https://arstechnica.com/security/2026/03/cisa-adds-3-ios-flaws-to-its-catalog-of-known-exploited-vulnerabilities/

  • https://nypost.com/2026/03/04/tech/mysterious-leaked-us-government-tool-is-breaking-into-iphones/


    • Published: Fri Mar 6 14:28:52 2026 by llama3.2 3B Q4_K_M

    © Digital Event Horizon . All rights reserved.

    Privacy | Terms of Use | Contact Us