Apple is currently facing a significant security issue affecting iPhones globally. In mid-February, Google’s Threat Analysis Group discovered a critical zero-day vulnerability in Apple’s iOS software. This vulnerability allowed hackers to gain full access to a “small subset” of targeted iPhones. Recently, it was reported that this exploit toolkit has been actively used by Russian and Chinese hackers, raising concerns that the toolkit could have originated from the United States government.
Vulnerability Details
The exploit toolkit, known as Coruna, reportedly includes five exploit chains and a total of 23 different exploits, all aimed at iPhones running from iOS 13 to 17.2.1. Mobile security experts from iVerify supported this finding, noting that about 42,000 iPhones have been affected.
A hacker can use an exploit chain to navigate a device’s security measures to gain access via various exploits. In simpler terms, if the software on your phone resembles a map, the exploit chain represents the necessary routes to bypass point after point until reaching the ultimate goal. Even one exploit chain is enough to compromise a device, but the five present in Coruna make it particularly sophisticated—unlike anything seen by security researchers on iOS before.
Google pointed out that Coruna is already in the hands of “customers of surveillance companies” and foreign entities, notably in China and Russia. Alarmingly, multiple threat actors now possess the capability to adapt these techniques to target new and unidentified vulnerabilities for future attacks.
Origins of Coruna
With Coruna now public knowledge, it’s natural to question its origin. Given its complexity, it seems improbable that an independent hacker conceived it. Instead, some evidence hints at possible government involvement.
For one, the toolkit’s source code appears to be written in native English, suggesting an English-speaking origin. Additionally, two exploits in the chain are linked to a specific hardware vulnerability found in Apple’s processing chips, discovered by the Russian cybersecurity firm Kaspersky. Russian officials previously accused the NSA of this exploit in 2023, although the U.S. government denied such claims.
Rocky Cole, co-founder of iVerify, referred to the code within Coruna as “fantastic” and well-crafted, noting its organization and commentary. His extensive experience in the U.S. defense sector led him to suspect it bears hallmarks of U.S.-based programmers. Nevertheless, Kaspersky has since dismissed any connection to the NSA despite the compelling evidence. The route through which this toolkit ended up with foreign groups remains unclear.
Indicators of a Security Breach
Apple’s iOS is generally considered hard for hackers to penetrate thanks to its closed architecture and robust encryption standards. However, the emergence of the Coruna toolkit has altered this reality. This marks the largest accumulation of exploits against iOS since its inception in 2007, signaling a trend that threatens to undermine Apple’s once-untouchable security framework.
Just last month, Apple rolled out a critical update to its iOS, addressing a separate zero-day vulnerability known as CVE-2026-20700. While this presents another serious risk to users, it’s not tied to Coruna. There may be more unknown zero-day vulnerabilities lurking within iOS; that’s almost a given.
How to Protect Your Device
Despite this troubling news, users can still take action. The best way to safeguard your devices is to consistently download and install the latest iOS updates on your iPhone, iPad, or laptop.
The vulnerabilities exploited by the Coruna toolkit targeting iOS 13 through 17.2.1, along with CVE-2026-20700, have been patched. If you haven’t updated your iPhone recently or are unsure of your version, simply open the Settings app to find updates. Depending on your device, make sure you’re on one of these versions:
- iOS 26.3.1 (for iPhone 11 and newer);
- iOS 18.7.5 (for XS, XS Max, XR models);
- iOS 16.7.14 (for iPhone 8, 8 Plus, and X);
- iOS 15.8.6 (for iPhone 6s and 7); or
- iOS 12.5.8 (for iPhone 5s, 6, 6 Plus).
For enhanced protection against future vulnerabilities, consider utilizing features like Apple Advanced Data Protection built into iCloud. You can also explore lockdown mode, though it’s geared more toward high-risk users like political figures, celebrities, and investigative journalists due to its limiting nature.
