ACCORDING to Google, the Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch three critical iOS vulnerabilities exploited over a 10-month span in campaigns by three distinct groups. The campaigns used Coruna, an advanced hacking kit that aggregated 23 iOS exploits into five exploit chains, with some flaws previously used as zero-days but patched by the time Google observed them being exploited.
On 5 March 2026, CISA added three of the CVEs to its catalog of known exploited vulnerabilities, directing agencies to patch and advising other organisations to apply mitigations or discontinue use if unavailable. The exploited flaws affected iOS versions 13 to 17.2.1, and Coruna’s capabilities include a JavaScript framework with obfuscation, a fingerprinting module, and a WebKit exploit chain designed to bypass certain protections.
The three CVEs added by CISA are CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000, with guidance to follow vendor instructions and other applicable mitigations.