Back to Research
Advisory

Apple Warns: Older iPhones Vulnerable to Coruna & DarkSword Exploit Kits

Eresus Security Research TeamAuthor
April 1, 2026
3 min read

Apple has issued an urgent advisory detailing zero-click and one-click vulnerabilities affecting older, unpatched iOS devices. Security researchers have identified that two prominent mobile exploit kits—Coruna and DarkSword—are being actively deployed in the wild against devices that are no longer receiving main-branch updates.

These exploit kits primarily target the Safari browser engine (WebKit) and background iOS daemons to compromise the underlying system, resulting in mass data extraction and persistent device infection.

At Eresus Security, we advise all clients utilizing older Apple devices internally or within BYOD environments to assess their exposure to these critical vulnerabilities immediately.

Understanding the Exploit Kits

While modern iOS (19+) receives continuous proactive patching, older devices often only receive occasional, highly critical backports. DarkSword and Coruna exploits focus on these gaps.

  1. Coruna (The WebKit Drive-By): Exploiting legacy WebKit vulnerabilities, Coruna allows attackers to execute arbitrary code simply by bringing a user to a compromised or malvertised webpage. Once the browser renders the payload, Coruna silently achieves local code execution, bypassing Safari's sandbox. It focuses largely on extracting saved passwords, Apple ID session tokens, and iMessage databases.
  2. DarkSword (The Zero-Click Daemon Exploit): DarkSword is more advanced and stealthy. It reportedly targets older versions of zero-configuration networking logic and message parsing daemons. Simply receiving a maliciously crafted network packet or attachment on an unpatched device can trigger memory corruption, subsequently granting attackers root-level privileges over the device without any user interaction.

The Risks to Corporate Environments

Devices compromised by Coruna and DarkSword are a significant risk to enterprise networks. These kits deploy hidden persistent payloads capable of:

  • Exfiltrating Corporate Email (Exchange/M365 accounts connected to the device).
  • Enabling device microphones and cameras stealthily.
  • Acting as a pivot point inside a corporate Wi-Fi network to target more secure internal assets.

Immediate Action for Enterprises

To mitigate these active threats, organizations should adhere to the following emergency remediation protocol:

  1. Identify Legacy Equipment: Conduct a rapid audit via your Mobile Device Management (MDM) solution to identify any iPhones or iPads running outdated operating systems (e.g., iOS 15, 16, or older builds unpatched against CVE mappings related to these kits).
  2. Enforce Update Policies: Apple frequently issues targeted security-only backports for older devices (e.g., iOS 16.8.x). Mandate the immediate installation of these patches across the fleet.
  3. Harden BYOD Restrictions: Temporarily (or permanently) restrict BYOD access to critical internal services for devices that cannot be updated to a supported baseline OS.
  4. Network Segregation: Ensure that legacy devices on the corporate network are heavily segregated and cannot access sensitive operational environments (zero-trust architecture).

Legacy hardware is often the weakest link in your corporate defense. Let Eresus Security's Red Team simulate these exact drive-by attacks to validate your MDM controls and internal network threat detection.