Full Report
Apple is now sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the update. The development was first reported by MacRumors. "Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone," the
Analysis Summary
# Vulnerability: Active Exploitation of Outdated iOS/iPadOS via Coruna and DarkSword Exploit Kits
## CVE Details
* **CVE ID:** Not explicitly cited in the article (The kits leverage a collection of at least 29 different vulnerabilities, including those from the "Operation Triangulation" campaign).
* **CVSS Score:** N/A (Categorized as Critical by Apple).
* **CWE:** Varies (Includes web-based and zero-click iMessage exploitation types).
## Affected Systems
* **Products:** Apple iPhone and iPad.
* **Versions:**
* **Coruna Exploit Kit:** Targets iOS versions **13.0 through 17.2.1**.
* **DarkSword Exploit Kit:** Targets iOS versions **18.4 through 18.7**.
* **Configurations:** Devices running outdated software visiting compromised websites or receiving malicious iMessages.
## Vulnerability Description
The threat involves two primary exploit kits:
* **Coruna:** An evolution of the sophisticated "Operation Triangulation" framework. It is used to deliver malicious payloads and spyware using a chain of exploits (reportedly totaling 23).
* **DarkSword:** A newer kit (leak-based) designed for mass-exploitation using approximately 6 different flaws.
These kits enable attackers to compromise devices when a user interacts with a malicious web link or, in some historical cases related to the framework, via zero-click vectors.
## Exploitation
* **Status:** **Exploited in the wild.** Apple is actively issuing Lock Screen notifications to warn users of these specific attacks.
* **Complexity:** Medium (For the attacker, as these are pre-packaged kits; High for the developer).
* **Attack Vector:** Network (Web-based) and potentially Adjacent/Local (via messaging frameworks).
## Impact
* **Confidentiality:** **High** (Targeted for spyware and mercenary data extraction).
* **Integrity:** **High** (Ability to deliver and execute malicious payloads).
* **Availability:** **Medium** (Potential for device instability or total takeover).
## Remediation
### Patches
* **Immediate Action:** Update devices to the latest available version of iOS or iPadOS (e.g., iOS 18.x or the latest security response for older supported hardware).
* Apple has issued a critical update specifically to mitigate the flaws leveraged by these kits.
### Workarounds
* **Lockdown Mode:** Enable "Lockdown Mode" (available on iOS 16 and later). Apple states no successful mercenary spyware attacks have been confirmed against a device with this mode enabled.
* Avoid clicking suspicious links in messages or visiting untrusted websites.
## Detection
* **Indicators of Compromise:** Lock screen security alerts from Apple specifically mentioning "attacks targeting out-of-date iOS software."
* **Detection Methods:** Kaspersky and other vendors track the "Coruna" framework as an evolution of Operation Triangulation. Security teams can monitor for known Command & Control (C2) infrastructure associated with these kits.
## References
* Apple Support Document regarding older iOS vulnerabilities.
* The Hacker News: hxxps://thehackernews[.]com/2026/03/apple-sends-lock-screen-alerts-to.html
* MacRumors: hxxps://www[.]macrumors[.]com/2026/03/27/critical-security-alerts-sent-to-ios-17-iphones/
* TechCrunch Statement on Lockdown Mode: hxxps://techcrunch[.]com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/