The Coruna exploit kit leverages multiple iOS vulnerabilities, including three newly cataloged by CISA, to achieve PAC bypass, sandbox escape, and kernel privilege escalation, primarily through malicious websites delivering WebKit exploits for spyware and crypto-theft. The article does not specify CVSS scores, exact affected iOS version ranges, or the specific patched versions, but states exploits are blocked on recent iOS versions and if Lockdown Mode or private browsing are enabled. CISA mandates federal agencies to patch by March 26, and all organizations are urged to apply iOS updates immediately.
CISA warns of Apple flaws exploited in spyware, crypto-theft attacks By Sergiu Gatlan March 6, 2026 10:57 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch three iOS security flaws targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. As Google Threat Intelligence Group (GTIG) researchers revealed earlier this week , Coruna uses multiple exploit chains targeting 23 iOS vulnerabilities, many of which were deployed in zero-day attacks. However, the exploits will not work on recent versions of iOS and will be blocked if the target is using private browsing or has enabled Apple's Lockdown Mode anti-spyware protection feature. Coruna provides threat actors with Pointer Authentication Code (PAC) bypass, sandbox escape, and PPL (Page Protection Layer) bypass capabilities, and enables them to gain WebKit remote code execution and escalate permissions to Kernel privileges on vulnerable devices. GTIG observed the exploit kit being used by multiple threat actors last year, including a surveillance vendor customer, a suspected Russian state-backed hacking group (UNC6353), and a financially motivated Chinese threat actor (UNC6691). The latter deployed it on fake gambling and crypto websites and used it to deliver a malware payload designed to steal infected victims' cryptocurrency wallets. Coruna attacks timeline (GTIG) Mobile security firm iVerify also said that Coruna is an example of "sophisticated spyware-grade capabilities" that migrated "from commercial surveillance vendors into the hands of nation-state actors and, ultimately, mass-scale criminal operations." On Thursday, CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by March 26, as mandated by the Binding Operational Directive (BOD) 22-01. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable," CISA warned. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." Although BOD 22-01 applies only to federal agencies, CISA urged all organizations, including private sector companies, to prioritize patching these flaws to secure their devices against attacks as soon as possible. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks Google says 90 zero-days were exploited in attacks last year CISA flags VMware Aria Operations RCE flaw as exploited in attacks CISA: Recently patched RoundCube flaws now exploited in attacks Predator spyware hooks iOS SpringBoard to hide mic, camera activity