Apple has issued new security updates for older iPhone and iPad models to patch vulnerabilities linked to the Coruna exploit kit, which has been used in cyberespionage and cryptocurrency theft campaigns.
The fixes are aimed at devices that can no longer move to the latest iOS and iPadOS releases, bringing protections that had already reached newer hardware in earlier updates.
Coruna exploit chains targeted older Apple devices through WebKit and kernel flaws
According to Apple’s security advisories, the latest patches address multiple vulnerabilities that were used in exploit chains capable of giving attackers remote code execution or elevated privileges at the kernel level.
Apple said the update includes fixes associated with the Coruna exploit and is specifically designed for devices that cannot upgrade to the newest iOS version.
The patched vulnerabilities include CVE-2023-41974, CVE-2024-23222, CVE-2023-43000 and CVE-2023-43010. CVE-2023-41974 is a kernel use-after-free issue. CVE-2024-23222 is a WebKit type confusion flaw.
CVE-2023-43000 and CVE-2023-43010 are both WebKit-related memory handling vulnerabilities. Apple said the issues were resolved through improved memory management and stronger validation checks.
The list of supported devices is broad and covers several legacy models running iOS 15.8.7, iOS 16.7.15, iPadOS 15.8.7 and iPadOS 16.7.15. On the iPhone side, the update applies to all iPhone 6s models, all iPhone 7 models, the first-generation iPhone SE, iPhone 8, iPhone 8 Plus and iPhone X.
The iPad and iPod lineup includes iPad Air 2, iPad mini 4, iPod touch 7th generation, iPad 5th generation, the 9.7-inch iPad Pro and the first-generation 12.9-inch iPad Pro.
Google Threat Intelligence Group had previously reported that the Coruna exploit kit had been in use since February 2025 by several threat actors. The list includes suspected Russian state-linked group UNC6353, a customer of a surveillance vendor and a financially motivated Chinese threat actor tracked as UNC6691.
Researchers said UNC6691 used fake gambling and cryptocurrency websites to deploy Coruna and deliver malware designed to steal crypto wallets from infected devices. That places the exploit kit in both espionage and financially driven attack activity.
The U.S. Cybersecurity and Infrastructure Security Agency has also moved on the issue. CISA added three of the vulnerabilities used by Coruna to its Known Exploited Vulnerabilities catalog last week. One of them was CVE-2023-43010, the WebKit flaw that Apple has now backported to older devices.
CISA also ordered Federal Civilian Executive Branch agencies to patch affected iOS devices by March 26 under Binding Operational Directive 22-01. The agency warned that these vulnerabilities are commonly used by malicious actors and carry serious risk for federal systems.
Apple has already dealt with another high-profile security issue earlier this year. The company patched CVE-2026-20700, a zero-day vulnerability used in what it described as an extremely sophisticated attack against specific individuals.
Apple said the flaw could allow threat actors to execute arbitrary code on compromised devices. The issue was reported by Google’s Threat Analysis Group, though Apple did not release technical details on how the exploit had been used.
