1 min read

Coruna iOS Exploit Kit: CISA Flags 3 CVEs After Google Exposes 23-Exploit Chain Used by Three Hacking Groups

Canopy Security
iPhone 14 representing the iOS Coruna exploit kit targeting iOS 13 through 17.2.1, flagged by CISA

Google's Threat Intelligence team disclosed "Coruna," a sophisticated iOS exploit kit that assembled 23 separate exploits into five full exploit chains, used by three distinct hacking groups — a surveillance vendor customer, a suspected Russian espionage group, and a financially motivated Chinese threat actor — across iOS 13.0 through 17.2.1. CISA has added three of the CVEs to its Known Exploited Vulnerabilities catalog: CVE-2021-30952 (integer overflow), CVE-2023-41974 (use-after-free), and CVE-2023-43000 (use-after-free), ordering federal agencies to patch immediately. The kit's promiscuous second-hand use across unrelated actors signals an active secondary market for high-caliber iOS zero-day exploits.

Key Takeaways

  • CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to its KEV catalog — three of 23 exploits in the Coruna iOS kit targeting iOS 13.0 through 17.2.1 across five full exploit chains
  • Three separate threat actors used Coruna: a surveillance vendor customer (Feb 2025), a suspected Russian espionage group targeting Ukrainian sites (Jul 2025), and a Chinese financially motivated group (Dec 2025)
  • Google recovered the full debug version of the kit, revealing internal codenames for all exploits; CISA directed agencies to apply vendor mitigations or discontinue affected products immediately

Original source: Ars Technica / Google TAG