CISA has added five flaws to the Known Exploited Vulnerabilities (KEV) list, including three bugs tied to the Coruna iOS exploit kit. Coruna targets 23 vulnerabilities across iOS versions from 13.0 to 17.2.1, and has been used by multiple threat actors, including a Russian espionage group and a financially motivated Chinese group.
The kit is reported to be built using second-hand zero-day exploits, fingerprints devices to load a WebKit remote code execution exploit, bypasses several platform mitigations, and injects a payload in the powerd daemon running as root. The payload can access financial information and can load modules to exfiltrate cryptocurrency wallets and sensitive data from multiple apps.
Of the 23 flaws, 12 have CVE identifiers, with nine of the publicly disclosed bugs previously exploited, including CVEs such as CVE-2022-48503 and CVE-2024-23296 among others; three CVEs—CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000—had not been publicised as exploited before this week. Agencies have three weeks to identify and patch vulnerable devices under Binding Operational Directive 22-01, while older Hikvision and Rockwell vulnerabilities were also noted as exploited in the wild.