Feds take notice of iOS vulnerabilities exploited under mysterious circumstances
Source: Ars Technica
Coruna is notable for its use by three distinct hacking groups. Google first detected its use in February of last year in an operation conducted by a “customer of a surveillance vendor.” The vulnerability exploited, tracked as CVE‑2025‑23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE‑2023‑43000 in attacks planted on websites frequented by Ukrainian targets. Last December, when it was used by a “financially motivated threat actor from China,” Google was able to retrieve the complete exploit kit.
“How this proliferation occurred is unclear, but suggests an active market for ‘second‑hand’ zero‑day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re‑used and modified with newly identified vulnerabilities.”
Google researchers added:
We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS 13.0 (released September 2019) up to iOS 17.2.1 (released December 2023).
Identified exploits
The 23 exploits, along with their code names, targeted iOS versions, fixed versions, and CVE identifiers, are listed below.
| Type | Codename | Targeted versions (inclusive) | Fixed versions | CVE |
|---|---|---|---|---|
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE‑2021‑30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE‑2022‑48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | — |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE‑2023‑43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE‑2024‑23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | — |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | — |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | — |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | — |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | — |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (≤ A12) | 15.7.8, 16.5 | CVE‑2023‑32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13‑A16) | 17.0 | — |
| PE | Neutron | 13.X | 14.2 | CVE‑2020‑27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE‑2020‑27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | — |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE‑2023‑32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE‑2023‑41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | — |
| PPL Bypass | Quark | 13.X | 14.5 | — |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE‑2023‑38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | — |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE‑2024‑23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE‑2024‑23296 |
CISA response
CISA is adding only three of the CVEs to its catalog:
- CVE‑2021‑30952 – Apple Multiple Products Integer Overflow or Wraparound Vulnerability
- CVE‑2023‑41974 – Apple iOS and iPadOS Use‑After‑Free Vulnerability
- CVE‑2023‑43000 – Apple Multiple Products Use‑After‑Free Vulnerability
The agency advises federal entities to:
- Apply mitigations per vendor instructions.
- Follow applicable guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA warns that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”