Apple published new security advisories on Wednesday, informing iPhone and iPad users that updates are available for legacy versions of iOS and iPadOS to address the recently disclosed Coruna exploits.
In early March 2026, researchers from Google and iVerify disclosed the details of a sophisticated exploit kit dubbed Coruna. Described as ‘nation-state grade’, Coruna enables mass exploitation against Apple’s iOS ecosystem.
This toolkit, which packs 23 individual exploits organized into five complete attack chains, has been quietly circulating in the cyber underground, enabling hackers to compromise iPhones running versions from iOS 13.0 (launched in September 2019) up to 17.2.1 (released in December 2023).
The experts warned that its advanced techniques mark it as one of the most potent mobile threats observed in recent years.
The Coruna kit’s origins trace back to commercial surveillance vendors, where it was initially deployed for targeted monitoring operations. From there, it proliferated to nation-state actors, with evidence linking it to espionage campaigns, including Russia-linked attacks against Ukraine. The toolkit has since fallen into the hands of China-linked financially driven cybercriminals, who have repurposed it for large-scale fraud schemes.
With Coruna, attackers can achieve remote code execution on vulnerable devices. Once inside, they gain full system access, allowing the installation of persistent malware.
Apple has patched the underlying vulnerabilities in iOS updates released over the past two years, and it has now also decided to release fixes for users who cannot update to the latest version.
Specifically, iOS and iPadOS 15.8.7 patch four vulnerabilities: CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The first is a kernel issue, while the other three are WebKit flaws.
According to Apple, the kernel vulnerability can be exploited by a malicious app to execute arbitrary code with kernel privileges. A fix was initially rolled out in iOS 17 in September 2023.
The WebKit vulnerabilities can be exploited for arbitrary code execution using specially crafted web content. Fixes for these security holes were initially rolled out by Apple in iOS 17.3 (CVE-2024-23222, January 2024), iOS 16.6 (CVE-2023-43000, July 2023), and iOS 17.2 (CVE-2023-43010, December 2023).
iOS and iPadOS 16.7.15 only address CVE-2023-43010.
While Google has confirmed seeing active exploitation and the cybersecurity agency CISA has added several of the Coruna flaws to its Known Exploited Vulnerabilities (KEV) catalog, Apple’s advisories do not mention in-the-wild exploitation.
Apple typically specifies in its advisories if it’s aware of active exploitation.
Related: Apple iPhone and iPad Cleared for Classified NATO Use
Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’
