Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Apple has released security updates for seniors iPhone and iPad to address targeted vulnerabilities for the Coruña exploitation kit, which has been used in cyber espionage attacks and cryptocurrency theft since February 2025. The patches cover devices that cannot run the latest version of iOS and are not eligible for older fixes applied to newer hardware.
“This update brings that fix to devices that can’t update to the latest version of iOS,” Apple said in security advisories published Wednesday.
Apple patches Coruña exploits used in real attacks from early 2025
The Coruña exploit kit has been linked to several attack campaigns since early 2025. Security researchers say it includes multiple exploit chains capable of gaining remote code execution or kernel-level privileges on vulnerable devices.
Apple’s updates address several vulnerabilities targeted by the framework, including:
- CVE-2023-41974: Kernel use-after-free vulnerability fixed with improved memory management
- CVE-2024-23222: WebKit type confusion issue fixed with improved checks
- CVE-2023-43000: WebKit use-after-free vulnerability
- CVE-2023-43010: WebKit memory management bug
Many of these issues were previously fixed in newer versions of iOS, but had not yet been fixed on older devices.
Devices affected by the Coruña exploitation kit
Updates are applied to devices running iOS 15.8.7 and iPadOS 15.8.7as well as iOS 16.7.15 and iPadOS 16.7.15. Affected hardware includes:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, and iPhone
- iPad Air 2, iPad mini (4th generation), iPad (5th generation), 9.7-inch iPad Pro, 12.9-inch iPad Pro (1st generation), and iPod touch (7th generation)
Three threat groups using the Coruña exploit kit
According Google Threat Intelligence Group (GTIG), the Coruña exploit kit has been used by at least three different threat groups since February 2025. These include a suspicious Russian state-backed group tracked as UNC6353, a surveillance vendor customer, and a financially motivated Chinese threat actor tracked as UNC6691.
UNC6691 deployed the exploit kit via fake gambling and cryptocurrency websites to distribute malware that stole cryptocurrency wallet data from infected devices.
CISA orders US agencies to patch vulnerabilities exploited by Coruña
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added several vulnerabilities exploited by Coruña to its catalog of known exploited vulnerabilities.
Federal agencies have been ordered to apply patches to devices affected by March 26 to reduce the risk of compromise. Apple recommends that users update their devices as soon as possible to ensure they are protected against these vulnerabilities through Settings > General > Software Update.
Apple has not indicated whether more patches compatible with this exploit kit are planned.
