Coruna and DarkSword iOS Exploits: How Check Point Mobile Security Helps Mitigate Enterprise Risk

michell — Wed, 20 May 2026 04:54:40 GMT

Table of Contents

Overview
What Is Coruna?
What Makes DarkSword Different?
Apple Security Response
How Check Point Mobile Security Helps Mitigate These Exploits
Conclusion

Overview

Coruna and DarkSword are advanced iOS exploit frameworks that shift iPhone compromise from rare, highly targeted espionage operations to scalable enterprise-level attacks. Capabilities once limited to intelligence agencies and commercial surveillance vendors are now accessible to a broader threat ecosystem.
Public leaks of exploit components and JavaScript proof‑of‑concept code have lowered the barrier to exploitation. Threat actors can reuse and share these components across underground communities to launch web‑based attacks. As a result, unpatched iOS devices pose a growing enterprise security concern.

What Is Coruna?

Coruna is a sophisticated exploit framework that targets iPhones and iPads running vulnerable iOS versions. Its reported capabilities include:

Multiple exploit chains covering 20+ vulnerabilities
Web‑based exploit delivery mechanisms
Full device compromise and data exfiltration

What Makes DarkSword Different?

Unlike Coruna, which targets older iOS versions, DarkSword targets newer versions, including iOS 18.x. Some attack scenarios require only a single click on a malicious or compromised website, while others approach near zero-click execution.
DarkSword combines multiple advanced techniques, including:

Zero‑day vulnerabilities
WebKit browser exploitation
Kernel privilege escalation
Sandbox escape techniques
Persistent spyware deployment

Once attackers compromise a device, they can potentially steal messages, credentials, and browser data, track device location, capture screenshots, record audio, and execute remote commands. In an enterprise context, this leads to stolen authentication tokens, hijacked SaaS sessions, intercepted MFA approvals, and long‑term surveillance of sensitive communications.

Apple Security Response

Apple addressed the vulnerabilities associated with Coruna and DarkSword in iOS 18.7.7, released on April 1, 2026. Apple also introduced visible security warnings within iOS settings to encourage immediate upgrades. The patched vulnerabilities include:

CVE‑2026‑20700 — dyld PAC bypass
CVE‑2025‑43529 — JavaScriptCore zero‑day memory corruption
CVE‑2025‑43520 — Kernel memory corruption
CVE‑2025‑43510 — Kernel copy‑on‑write memory management issue
CVE‑2025‑31277 — JavaScriptCore memory corruption
CVE‑2025‑14174 — ANGLE/WebGL memory corruption

Devices running older versions (iOS 18.4 through 18.7) remain significantly exposed.

How Check Point Mobile Security Helps Mitigate These Exploits

Traditional Mobile Device Management (MDM) solutions focus on compliance and configuration. However, they do not detect advanced exploit chains that operate entirely in memory or abuse legitimate browser components. Check Point Mobile Security provides Mobile Threat Defense (MTD) capabilities that complement traditional device management and patching strategies.
The following table describes the key risk‑reduction functions provided by Check Point Mobile Security:

Function	Capability
Enforce secure iOS versions	Administrators can configure policies to: Detect devices running vulnerable iOS versions and automatically raise device risk levels Alert security teams and restrict access to corporate resources until remediation This accelerates adoption of patched iOS versions such as iOS 18.7.7 and later.
CVE‑based risk visibility	Provides visibility into devices exposed to vulnerabilities associated with DarkSword and Coruna, including: CVE‑2026‑20700 CVE‑2025‑43529 CVE‑2025‑43520 CVE‑2025‑43510 CVE‑2025‑31277 CVE‑2025‑14174 Enables security teams to identify vulnerable devices, prioritize remediation, and monitor exposure across the mobile fleet.
Protection against web‑based exploitation	DarkSword and Coruna exploit chains rely heavily on malicious web content. Mobile Security helps reduce this exposure by: Detecting and blocking malicious and phishing websites Preventing communication with malicious infrastructure Monitoring abnormal mobile network activity This protection is critical because many iOS exploit chains do not require malicious app installation.
Conditional access enforcement	Integrates with enterprise identity platforms to: Block vulnerable devices from accessing SaaS applications and corporate email Prevent authentication from high‑risk mobile endpoints Enforce remediation before restoring access This limits the impact of compromised devices on enterprise environments.
Real‑time Mobile Threat Defense	Provides active protection through: Continuous device risk assessment and runtime threat analysis Network threat prevention and phishing protection Zero‑trust mobile access enforcement

Conclusion

Coruna and DarkSword demonstrate that advanced iOS exploitation is no longer limited to elite threat actors. Patching alone is insufficient; organizations must implement Mobile Threat Defense (MTD) controls such as Check Point Mobile Security, to gain CVE-based risk visibility, web threat protection, and enforce conditional access before attacks impact the enterprise.

cp<r> reference for more details: https://research.checkpoint.com/2026/9th-march-threat-intelligence-report/