CISA Warns of Exploited iOS Flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to immediately patch several iOS vulnerabilities being actively exploited in the wild. The flaws are reportedly being used in spyware and cryptocurrency theft attacks, leveraging the Coruna exploit kit. This highlights the need for rapid patch adoption and device attestation in backend systems handling sensitive data.
The Coruna exploit kit represents a significant escalation in iOS threats, bundling 23 exploits into five full chains targeting versions from iOS 13.0 to 17.2.1. This toolkit’s evolution is a case study in modern threat proliferation, first seen in a targeted campaign by a commercial surveillance vendor's customer in February 2025, then repurposed by a suspected Russian state-sponsored group for watering-hole attacks against Ukrainian websites, and finally adopted by a China-based cybercriminal group for widespread financial theft by late 2025. The technical sophistication of the exploit chains is notable, combining WebKit remote code execution vulnerabilities like CVE-2024-23222 with sandbox escapes and kernel privilege escalation. Critically, the chains incorporate bypasses for hardware-level security features like Pointer Authentication Codes (PAC), which are designed to prevent attackers from modifying pointers in memory. These bypasses demonstrate an advanced understanding of Apple's A-series silicon and its defenses. In its final evolution as a tool for financial crime, the payload was not traditional spyware but a stager injected into the 'powerd' root daemon. This malware, dubbed Plasmagrid, was specifically designed to hook into at least 18 different cryptocurrency wallet applications, including MetaMask, Phantom, and Uniswap, to exfiltrate credentials and funds. The framework was also engineered for stealth, terminating execution if it detected the device was in Lockdown Mode or if the user was in a private browsing session. The three vulnerabilities CISA added to its Known Exploited Vulnerabilities (KEV) catalog—CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000—are now under a remediation deadline of March 26, 2026, for federal agencies, per Binding Operational Directive (BOD) 22-01. This directive mandates that agencies address vulnerabilities actively used in the wild, shifting focus from theoretical severity scores to proven real-world threats. The success of the cryptocurrency theft highlights a critical architectural gap in services handling sensitive data. Without backend systems enforcing device attestation, a compromised device can present itself as legitimate. Managed Device Attestation, using the Secure Enclave, can cryptographically verify that a device is genuine, unmodified, and running a legitimate OS build before it's granted access to sensitive APIs or user data, effectively mitigating the risk of data exfiltration from a successfully exploited but untrusted device.
