The US cybersecurity agency CISA on Thursday expanded the Known Exploited Vulnerabilities (KEV) list with five flaws, including three bugs targeted by the nation-state-grade Coruna iOS exploit kit.
Coruna contains exploits targeting 23 vulnerabilities in iOS versions spanning four years, namely iOS 13.0 to iOS 17.2.1, but is ineffective against the latest iterations of Apple’s mobile platform.
It has been used by multiple threat actors, including the customer of a spyware vendor, a Russian espionage group, and a financially motivated Chinese group.
Likely built using ‘second-hand’ zero-day exploits, Coruna fingerprints devices to load the appropriate WebKit remote code execution (RCE) exploit, bypasses various platform mitigations, and injects a payload in the ‘powerd’ daemon running as root.
The payload targets the victim’s financial information and can also load additional modules for exfiltrating cryptocurrency wallets and sensitive information from multiple applications.
Of the 23 security defects targeted by the exploit kit, 12 have had a CVE identifier assigned. All the exploited issues, publicly disclosed or not, have been patched.
Of the publicly disclosed bugs, nine were previously flagged as exploited, most of them as zero-days. These include CVE-2022-48503, CVE-2024-23222, CVE-2023-32409, CVE-2020-27932, CVE-2020-27950, CVE-2023-32434, CVE-2023-38606, CVE-2024-23225, and CVE-2024-23296.
There appear to have been no public reports of the exploitation of the remaining three CVEs, namely CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000, before this week’s revelations of the Coruna iOS exploit kit targeting them.
Now that CISA has added all three iOS flaws to the KEV catalog, federal agencies have three weeks to identify within their environments any vulnerable devices and to patch them, as mandated by Binding Operational Directive (BOD) 22-01.
On Thursday, CISA also warned that older vulnerabilities in multiple Hikvision and Rockwell products have been exploited in the wild.
While BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize the remediation of bugs in the KEV catalog.
Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Related: Android Update Patches Exploited Qualcomm Zero-Day
Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’
Related: In Other News: iOS 26 Deletes Spyware Evidence, Shadow Escape Attack, Cyber Exec Sold Secrets to Russia
