Federal agencies are scrutinizing a suite of iOS vulnerabilities, internally dubbed Coruna, that have been exploited by at least three distinct hacking groups. Google's initial detection in February of last year revealed its use by a "customer of a surveillance vendor," targeting a vulnerability patched 13 months prior. Further incidents involved a "suspected Russian espionage group" in July 2025, exploiting CVE-2023-43000 against Ukrainian targets, and a "financially motivated threat actor from China" last December, from whom Google obtained a complete exploit kit.
Google researchers noted an active market for "second hand" zero-day exploits, with multiple threat actors acquiring and modifying advanced exploitation techniques. The Coruna exploit kit is capable of targeting iPhones running iOS versions from 13.0 (September 2019) to 17.2.1 (December 2023).
Several specific exploits have been identified, including "buffout," "jacurutu," "bluebird," "terrorbird," and "cassowary," targeting various iOS versions and functionalities. CISA is cataloging three key CVEs associated with these exploits: CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. The agency has directed federal agencies to apply mitigations immediately, warning that these vulnerabilities are frequent attack vectors for malicious cyber actors, posing significant risks to national security.