The Cybersecurity and Infrastructure Security Agency added three iOS vulnerabilities to the Known Explploited Vulnerabilities Catalog, which Showcases the Exploited VERs Catalog, and demonstrates the growing concern on the exploitation of vulnerabilities on mobile devices. This batch of vulnerabilities independently confirms a search campaign demonstrating the exploitation of vulnerabilities on the iOS operating system; iOS users are a target of a Global Cyber Espionage Campaign.

The three vulnerabilities are identified as CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. These iOS vulnerabilities are believed to be part of the advanced iOS exploitation tool Coruna, which leads to the exploitation of iPhones through the exploitation of purposely designed malicious web content.

With these vulnerabilities added, CISA has succeeded in notifying agencies and businesses that the vulnerabilities are not a risk, and instead, they are a determined reality, as they exist within the wild.

Understanding the Known Exploited Vulnerabilities List

The Known Exploited Vulnerabilities List provides a centralized repository of known vulnerabilities that are available to be exploited. As a result of Binding Operational Directive 22-01, U.S. federal agencies are ordered to mitigate the vulnerabilities within a certain period of time once they are added to the Known Exploited Vulnerabilities List.

Federal agencies are now required to take action on Apple’s iOS security issues by March 26, 2026, to eliminate risks of exploitation.

Cybersecurity professionals recommend the iOS impacted device updates to the general public, even though it is not required by law.

iOS 3 Security Flaws

All of the weaknesses include the iOS impacted parts of Apple’s iOS ecosystem, and in some cases, allow for the execution of unauthorized code by the attacker.

Vulnerability CVE-2021-30952 is an integer overflow vulnerability. An attacker can create a web page and lure the target device to include the page to execute arbitrary code. Apple made some modifications to input validation to fix the issue in iOS 15.2. Devices before this version are still vulnerable.

Vulnerability CVE-2023-41974 is a use-after-free memory error. An attacker can obtain kernel-level privileges that are even higher than the operating system’s own control. By using this vulnerability, the attacker can also install spyware or modify system processes, which may control the system in a malicious way.

CVE-2023-43000 is also an example of use-after-free vulnerabilities that can web malicious content to manage memory in an arbitrary way and allow different code to be run on an affected machine.

Although Apple has provided patches for these issues in subsequent releases of iOS, many users have not upgraded their operating systems, leaving many devices vulnerable.

The Function of the Coruna Exploit Kit

Expert researchers have told that these vulnerabilities have been used in assaults using Coruna, an advanced exploitation framework. This toolkit is reported to contain 23 different vulnerabilities leading to end-to-end exploitation of the targeted device, across different iOS releases from iOS 13 to iOS 17.2.1.

Because of Coruna's advanced systems, the exploit divides the malicious payload's built-in defenses, and addresses many vulnerabilities in a consecutive manner.

Relative to the research done on the toolkit, it is said that there are 5 complete exploit chains that move the attacker from an entry point, which could be a web page loaded, to a total control of the targeted device. After that, the attacker can install monitoring of communications, put unwanted spy software, and Steal control of various sensitive information.

Active Exploitation Proof

Due to the involvement and interest of state-sponsored and cybercriminal organizations, the use of Coruna by multiple threat actors warranted a deeper look into the vulnerabilities.

According to the Google Threat Analysis Group, multiple active threat actor cybercrime groups, including a Chinese cybercrime group and a Russian spy group, are using the exploit framework.

The widespread use of this particular toolkit is indicative of a dangerous new phenomenon: the criminal re-use and distribution of sophisticated cyber-espionage tools.

Once exploit frameworks are made even publicly available or leaked, the potential attacker pool is significantly increased, and security analysts state that the original creators lose control of the framework's use.

The Importance of Mobile Security

The importance of smartphones in personal and business life makes them a target for cyber attacks. Even more than a personal computer, a mobile device contains a greater amount of sensitive information, including, but not limited to:

• Personal communications

• Banking and financial information

• Authentication tokens

• Location history

• Work documents and Personal classified information
  

Consequently, vulnerabilities in iPhones are often exploited in targeted surveillance operations aimed at senior managers, officials in the government, and reporters especially of investigative journalism.

While iOS is thought to be one of the most secure operating systems due to its highly controlled environment and rapid patching cycles, no operating system is free of vulnerabilities.

In most cases, bugs are a result of the complexity of the software. Attackers are always looking for unpatched vulnerabilities.

The Importance of Timely Updates

In the battle against exploitation, resetting the operating systems is one of the better options, according to the experts.

Once vulnerabilities are found, Apple is quick to patch them, but the updates must be installed by the users to make the patch effective.

If an iOS device is not patched, it is still vulnerable despite the restrictions.

Experts recommend organizations to put systems in place that ensure that work-related mobile devices are regularly updated and monitored for potential threats.

In addition to updates, the use of security options like Apple's Lockdown Mode reduces the attack surface for sophisticated threats.

The Bigger Picture of Cybersecurity

The iOS vulnerabilities cataloged by CISA’s KEV highlights a fundamental concern that the cybersecurity community is facing: the ease of use of sophisticated exploit frameworks.

Cybercriminals have started leaking or repurposing tools that were once the domains of intelligence agencies or specialist surveillance vendors.

This trend is profoundly threatening the future of mobile security. Defensive measures, particularly patch management, threat detection, and end user training, need to improve to make up for the widening and deepening of blurring exploitation kit.

Cybersecurity companies, for the time being, have no choice but to tell customers to make updates as soon as possible and emphasize mobile security as much as desktop security.

Smartphones are becoming more and more gateways to sensitive and valuable personal and corporate information. The security situation all mobile devices is only becoming worse.