Photo by BleepingComputer on BleepingComputer
What happened
CISA directed U.S. federal agencies to patch three actively exploited iOS vulnerabilities that researchers linked to Coruna, an exploit kit used in espionage and crypto-theft operations.
The flaws were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of March 26, 2026.
Why this matters
Coruna has been observed in multiple actor clusters, including state-linked and financially motivated operations. Reported capability includes:
- WebKit remote code execution paths
- Sandbox and protection bypass techniques
- Privilege escalation toward kernel-level control
For defenders, this is a practical reminder that mobile exploit chains are now part of mainstream intrusion workflows, not just niche spyware operations.
What defenders should do now
- Patch iOS/iPadOS endpoints immediately and verify version compliance in MDM.
- Enable Lockdown Mode for high-risk users (executives, journalists, incident responders).
- Hunt for mobile compromise signals tied to suspicious browser activity and rapid post-exploit credential abuse.
- Review exposure from crypto and finance-related mobile workflows, especially in BYOD fleets.
Bottom line
This is a live exploitation story with federal urgency, not a theoretical bug class. Treat vulnerable Apple endpoints as potential initial-access vectors until patch and posture verification are complete.