Apple Rushes Emergency Security Patches to Older iPhones and iPads to Counter Coruna Exploit Kit

What Happened

Apple has released emergency security updates targeting older iPhone and iPad models to patch a set of vulnerabilities actively being exploited in the wild through the Coruna exploit kit. The patches, reported by BleepingComputer on March 12, 2026, address vulnerabilities that have been leveraged in both cyberespionage campaigns and cryptocurrency theft operations, making this a dual-threat scenario affecting both high-value targets and everyday consumers.

The Coruna exploit kit — a sophisticated collection of chained vulnerabilities that allows attackers to gain persistent access to iOS devices — has been observed targeting users in multiple countries. The kit exploits weaknesses in WebKit, the browser engine underpinning Safari and all third-party browsers on iOS, as well as kernel-level vulnerabilities that enable privilege escalation from a sandboxed browser process to full device compromise.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

Apple's decision to backport these patches to older device models is notable. The company typically focuses security updates on the most recent iOS versions, but the severity of the Coruna exploits — and the significant installed base of older devices still in active use — prompted Apple to extend coverage to devices running iOS 15 and iOS 16, ensuring protection for millions of users who have not upgraded to the latest hardware.

Background and Context

The Coruna exploit kit represents the latest evolution in a growing market for iOS exploit chains. Named by security researchers who first documented its components in late 2025, Coruna combines multiple zero-day and n-day vulnerabilities into a reliable attack chain that can compromise a target device through a single malicious link or compromised website — a technique known as a drive-by exploit.

The commercial spyware industry has driven much of the demand for iOS exploits, with companies like NSO Group, Intellexa, and their successors selling device compromise capabilities to government clients. However, the Coruna kit appears to have a broader distribution, with evidence suggesting it has been used by both state-sponsored actors conducting surveillance and financially motivated cybercriminals targeting cryptocurrency wallets and authentication credentials.

Apple has been engaged in a sustained effort to harden iOS against these attacks, introducing features like Lockdown Mode, enhanced WebKit sandboxing, and pointer authentication codes (PAC) to make exploitation more difficult. Despite these defences, the sophistication and financial incentives of the exploit development ecosystem continue to produce viable attack chains, particularly against older devices that lack the latest hardware security features.

Why This Matters

The Coruna patches highlight a critical tension in the mobile security landscape: the gap between security capabilities on the latest hardware and the protection available to users on older devices. While Apple's newest iPhones feature hardware-level security enhancements that make many exploit techniques significantly harder, hundreds of millions of iPhones in active use worldwide run older hardware that lacks these protections.

Apple's decision to backport the patches demonstrates a recognition that security is not just a feature of new products but an ongoing obligation to existing users. This is particularly important in markets where device upgrade cycles are longer — including developing countries where older iPhones remain in widespread use, and enterprise environments where device fleets are refreshed on three- to five-year cycles.

The dual-use nature of the Coruna exploits — serving both espionage and financial crime — represents a concerning convergence. Exploit kits that were once the exclusive tools of nation-state intelligence agencies are increasingly available to criminal organisations, blurring the line between state-sponsored attacks and conventional cybercrime. This democratisation of advanced exploit capabilities means that the threat is no longer limited to journalists, activists, and government officials — everyday users with cryptocurrency holdings or valuable business credentials are now targets.

Industry Impact

The mobile security industry will see renewed attention to older device protection. Mobile device management (MDM) solutions used by enterprises will need to ensure that patch deployment for older devices is prioritised with the same urgency as updates for current models. Organisations managing mixed device fleets should audit their MDM configurations to confirm that backported security updates are being pushed to all enrolled devices.

For the cybersecurity research community, the Coruna kit provides valuable intelligence about current exploitation techniques and attacker capabilities. The security patches themselves, once reverse-engineered, will reveal the specific vulnerabilities being exploited, contributing to the broader understanding of iOS attack surfaces and informing defensive tool development.

The cryptocurrency industry faces continued pressure from exploit kits that target mobile wallet applications and authentication mechanisms. Hardware wallet manufacturers and cryptocurrency exchanges should emphasise security hygiene education for their users, including the critical importance of keeping mobile devices updated — a message that applies equally to users managing their crypto activities from computers running a genuine Windows 11 key with current security patches.

Expert Perspective

Apple's backporting of security patches to older iOS versions is a commendable but reactive measure. The more fundamental challenge is the structural vulnerability of the WebKit monoculture on iOS, where Apple's requirement that all browsers use WebKit means that a single WebKit vulnerability affects every browsing application on the platform. This architectural decision, which Apple defends on security grounds, paradoxically creates a single point of failure that exploit developers can target with confidence.

The Coruna exploit kit's success also underscores the limitations of purely technical defences. User awareness — recognising suspicious links, avoiding untrusted websites, and maintaining up-to-date devices — remains a critical layer of protection that no amount of kernel hardening can fully replace. Businesses using enterprise productivity software should incorporate mobile security awareness into their broader cybersecurity training programmes.

What This Means for Businesses

IT administrators should immediately verify that all company-managed Apple devices have received the latest security updates, with particular attention to older models that may have been deprioritised in update schedules. Organisations using affordable Microsoft Office licence tools on iOS should confirm that their mobile productivity applications are running on patched devices to protect sensitive business documents accessed through mobile workflows.

BYOD policies should be reviewed to ensure that minimum iOS version requirements account for backported security patches, not just feature updates.

Key Takeaways

• Apple has released emergency patches for older iPhones and iPads against the Coruna exploit kit
• The Coruna kit chains WebKit and kernel vulnerabilities for full device compromise via drive-by attacks
• Exploits are being used for both cyberespionage and cryptocurrency theft
• Apple backported patches to iOS 15 and 16, protecting hundreds of millions of older devices
• The dual-use nature of the exploits blurs the line between state-sponsored and criminal attacks
• All Apple device users should update immediately, and enterprises should verify fleet-wide patch deployment

Looking Ahead

The Coruna exploit kit is unlikely to be the last sophisticated iOS attack chain to emerge. As long as the economics of mobile exploitation remain favourable — with iOS zero-day chains commanding prices in the millions of dollars on both legitimate and grey markets — the development of new exploit capabilities will continue. Apple's long-term response will need to address both the specific vulnerabilities being exploited and the structural factors that make iOS an attractive and rewarding target.