Feds take discover of iOS vulnerabilities exploited beneath mysterious circumstances
Coruna can be notable for its use by three distinct hacking teams. Google first detected its use in February of final yr in an operation performed by a “buyer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in assaults planted on web sites that have been frequented by Ukrainian targets. Final December, when it was utilized by a “financially motivated menace actor from China,” Google was in a position to retrieve the whole exploit equipment.
“How this proliferation occurred is unclear, however suggests an energetic marketplace for ‘second hand’ zero-day exploits,” Google wrote. “Past these recognized exploits, a number of menace actors have now acquired superior exploitation strategies that may be re-used and modified with newly recognized vulnerabilities.”
Google researchers went on to jot down:
We retrieved all of the obfuscated exploits, together with ending payloads. Upon additional evaluation, we seen an occasion the place the actor deployed the debug model of the exploit equipment, leaving within the clear all the exploits, together with their inner code names. That’s after we discovered that the exploit equipment was seemingly named Coruna internally. In whole, we collected just a few hundred samples overlaying a complete of 5 full iOS exploit chains. The exploit equipment is ready to goal varied iPhone fashions operating iOS model 13.0 (launched in September 2019) as much as model 17.2.1 (launched in December 2023).
The 23 exploits, together with the code names and different data, are:
| Kind | Codename | Focused variations (inclusive) | Mounted variations | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is including solely three of the CVEs to its catalog. They’re:
- CVE-2021-30952 Apple A number of Merchandise Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000 Apple A number of merchandise Use-After-Free Vulnerability
CISA is directing businesses to “apply mitigations per vendor directions, comply with relevant… steerage for cloud companies, or discontinue use of the product if mitigations are unavailable.” The company went on to warn: “Some of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise.”
