CISA Mandates Urgent Fixes for 3 iOS Vulnerabilities Exploited by Coruna Kit

The discovery of critical iOS vulnerabilities actively exploited in the wild has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an urgent patching mandate. Federal agencies and private organizations must immediately address three specific flaws leveraged by a sophisticated exploit kit known as Coruna.

This alert is critical for IT administrators, federal security teams, and everyday iPhone users running older software versions. By understanding the scope of these exploits, users can take immediate actionspecifically updating past iOS version 17.2.1 or enabling Apple Lockdown modeto shield their devices from state-sponsored and financially motivated cyberattacks.

The proliferation of the Coruna kit underscores a growing and dangerous trend: the thriving market for second-hand zero-day exploits. As advanced exploitation techniques trickle down from surveillance vendors to diverse threat actors, the window for patching known vulnerabilities continues to shrink, leaving organizations that delay updates highly exposed.

The hacking campaigns were detailed on Thursday in a report published by Google. According to the researchers, the Coruna kit amassed 23 separate iOS exploits organized into five potent exploit chains. The kit targets various iPhone models running iOS versions 13.0 through 17.2.1. Devices running versions beyond 17.2.1 are not vulnerable, and the exploits fail to execute if Apple Lockdown is activated or if the browser is set to private browsing.

Coruna features advanced capabilities, including a never-before-seen JavaScript framework that utilizes a unique obfuscation method to prevent detection and reverse engineering. When activated, this framework runs a fingerprinting module to gather specific device information. Based on those results, it loads a suitable WebKit exploit, followed by a bypass for a defense mechanism known as pointer authentication code.

Google researchers noted that the kit was utilized by three distinct hacking groups over a 10-month span. It was first detected in February of last year in an operation by a customer of a surveillance vendor, exploiting a vulnerability tracked as CVE-2025-23222 that had been patched 13 months earlier. Subsequently, a suspected Russian espionage group used it in July 2025 against Ukrainian targets, and a financially motivated threat actor from China deployed it last December.

In response to the threat, CISA added three specific vulnerabilities from the Coruna kit to its catalog of known exploited vulnerabilities. The agency directed federal entities to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

The three specific vulnerabilities added to the CISA catalog are:

• CVE-2021-30952: Apple Multiple Products Integer Overflow or Wraparound Vulnerability
• CVE-2023-41974: Apple iOS and iPadOS Use-After-Free Vulnerability
• CVE-2023-43000: Apple Multiple products Use-After-Free Vulnerability

Which iOS versions are affected by the Coruna exploit kit?
The exploit kit is capable of targeting iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).

How can users protect their devices from these exploits?
Updating to any iOS version beyond 17.2.1 neutralizes the threat. Additionally, the exploits do not function when Apple Lockdown mode is activated or when a browser is set to private browsing.

The lifecycle of the Coruna exploit kit provides a stark warning about the commoditization of cyber weapons. The fact that a single exploit kit was passed from a surveillance vendor's client to a suspected Russian espionage group, and finally to a Chinese financial threat actor, proves that the "second-hand" market for zero-days is highly efficient. Furthermore, Google's observation that CVE-2025-23222 was exploited 13 months after it was patched highlights a systemic failure in enterprise patch management. Organizations can no longer afford to delay routine OS updates; the gap between a patch release and its weaponization by secondary threat actors is closing rapidly.