Security & Infrastructure Tools
Apple patches older iPhones and iPads against Coruna exploits
Apple released security updates to patch older iPhones and iPads against vulnerabilities exploited by the Coruna exploit kit, which has been used in cyberespionage and crypto-theft attacks since 2025. The updates backport fixes for several kernel and WebKit use‑after‑free issues (CVE‑2023‑41974, CVE‑2024‑23222, CVE‑2023‑43000, CVE‑2023‑43010) to devices running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15, including models such as iPhone 6s, 7, SE (1st gen), 8, X, and various iPads. The U.S. Cybersecurity Agency (CISA) has added these vulnerabilities to its known-exploited list and urged federal agencies to patch devices by March 26, citing the risks of kernel privilege escalation and remote code execution. Apple also fixed a zero‑day CVE‑2026‑20700 earlier in the year, used in sophisticated attacks targeting specific individuals.
Apple has rolled out a series of security updates aimed at safeguarding older iPhones and iPads from a set of vulnerabilities that have been exploited in recent cyberespionage and crypto‑theft campaigns using the Coruna exploit kit. These patches bring fixes that were originally released for newer iOS models back to devices that cannot upgrade to the latest operating system.
The update addresses multiple exploitation chains that attackers use to elevate privileges or execute remote code on vulnerable devices. The key vulnerabilities patched include:
- CVE‑2023‑41974 – a Kernel use‑after‑free flaw mitigated by improved memory management.
- CVE‑2024‑23222 – a WebKit type confusion issue fixed with stricter checks.
- CVE‑2023‑43000 – another WebKit use‑after‑free vulnerability addressed through better memory handling.
- CVE‑2023‑43010 – a related WebKit flaw resolved by enhanced memory safeguards.
Affected devices span a broad range of older models running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15, including the iPhone 6s, 7, SE (1st gen), 8, 8 Plus, X, as well as the iPad Air 2, iPad mini 4th gen, iPod touch 7th gen, iPad 5th gen, and the early‑generation Pro models.
The Coruna exploit kit has been in circulation since February 2025, with evidence of use by multiple threat groups such as a suspected Russian state‑backed hacker (UNC6353), a surveillance vendor customer, and a financially motivated Chinese actor (UNC6691). The latter group deployed the kit on counterfeit gambling and crypto sites to deliver malware that stole cryptocurrency wallets from infected devices.
Recent reports from Google’s Threat Intelligence Group confirm the widespread use of this exploit kit. CISA has added three of the 23 vulnerabilities targeted by Coruna to its catalog of known exploited vulnerabilities, including CVE‑2023‑43010. The U.S. cybersecurity agency has also issued a directive urging federal civilian agencies to patch their iOS devices by March 26 under BOD 22‑01.
Apple previously addressed a zero‑day vulnerability (CVE‑2026‑20700) that was exploited in an “extremely sophisticated attack” targeting specific individuals, allowing attackers to execute arbitrary code on compromised devices. While Apple did not disclose details of the exploitation method, it highlighted that Google’s Threat Analysis Group had reported the flaw.
These updates underscore the importance of keeping older iOS devices up to date with the latest security patches, especially given the evolving threat landscape and the increasing sophistication of exploit kits like Coruna. Users should promptly apply these fixes to protect their personal data and maintain device integrity.