Vulnerability Intelligence

Patched in 2023. Weaponized Anyway. CVE-2023-43000 Is Now on CISA's KEV Catalog.

CS
CyberSpit
March 2026 10 min read

A use-after-free flaw in Apple's WebKit rendering engine sat quietly exploited for more than two years before Google's Threat Intelligence Group exposed it as a live weapon: CVE-2023-43000 is a confirmed component of the Coruna iOS exploit kit, a commercial-grade attack framework that circulated through surveillance operators, a Russian espionage group, and a Chinese financially motivated threat actor before CISA added it to the Known Exploited Vulnerabilities catalog on March 5, 2026. Every unpatched Apple device running macOS Ventura below 13.5, iOS below 16.6, iPadOS below 16.6, or Safari below 16.6 remains a live target.

On March 5, 2026, CISA added CVE-2023-43000 to its Known Exploited Vulnerabilities catalog alongside four other flaws: CVE-2017-7921 (Hikvision improper authentication), CVE-2021-22681 (Rockwell insufficient protected credentials), CVE-2021-30952 (Apple integer overflow), and CVE-2023-41974 (Apple iOS and iPadOS use-after-free). The CISA addition directly followed Google Threat Intelligence Group's (GTIG) March 3, 2026 disclosure of the Coruna iOS exploit kit — a sophisticated commercial-grade framework containing 23 individual exploits organized into five full exploit chains, capable of targeting iPhones running iOS 13.0 through iOS 17.2.1. CVE-2023-43000 is one of the WebKit remote code execution exploits embedded in that kit. Federal Civilian Executive Branch agencies have until March 26, 2026 to remediate. For everyone else, that date is a de facto urgency marker.

CVE-2023-43000 at a Glance

The CVE identifier CVE-2023-43000 was reserved by the MITRE Corporation on September 14, 2023, and formally published to the National Vulnerability Database on November 5, 2025. Apple assigned the CVE and disclosed it in the security advisories accompanying macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6 — all released on July 24, 2023. The delayed NVD publication relative to the patch release is notable: Apple originally bundled this fix into a broader security update without a public CVE mapping, and did not update the iOS 16.6 and iPadOS 16.6 security release notes to include a specific entry for CVE-2023-43000 until November 11, 2025 — more than two years after the patch shipped. The full NVD record did not receive enrichment until that same period, leaving a long window during which automated vulnerability management systems would not have flagged this CVE against Apple patch inventories.

CVE-2023-43000 Quick Reference

CVE ID: CVE-2023-43000
Weakness: CWE-416 (Use After Free)
Affected Component: WebKit (Apple's browser rendering engine)
Affected Platforms: macOS Ventura (before 13.5), iOS (before 16.6), iPadOS (before 16.6), Safari (before 16.6)
Impact: Processing maliciously crafted web content may lead to memory corruption
Fix Available: macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, Safari 16.6
CISA KEV Added: March 5, 2026
Federal Remediation Deadline: March 26, 2026
NVD Source: nvd.nist.gov/vuln/detail/CVE-2023-43000

Apple's official advisory language describes the fix as: a use-after-free issue addressed with improved memory management, noting that processing maliciously crafted web content may lead to memory corruption. That phrasing — "maliciously crafted web content" — is Apple's standard language for vulnerabilities that can be triggered entirely through a browser visit, without requiring local access, a malicious application download, or any additional user interaction beyond loading a page.

"A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption." — Apple Inc., CVE-2023-43000 Official Advisory

The patch references for this CVE span three separate Apple support pages: support.apple.com/en-us/120324 (Safari 16.6), support.apple.com/en-us/120331 (macOS Ventura 13.5), and support.apple.com/en-us/120338 (iOS 16.6 and iPadOS 16.6).

What Use-After-Free Actually Means in a Browser Engine

Use-after-free (UAF) is classified under CWE-416 in the MITRE Common Weakness Enumeration framework. At its core, the vulnerability class describes a condition where software continues to reference memory that has already been released back to the operating system or memory pool. After memory is freed, the heap manager marks it as available. If the original pointer is not nullified, it becomes a "dangling pointer" — still pointing at a memory address that may now be reallocated for a completely different object or process.

The critical danger emerges when that freed memory is subsequently claimed by an attacker-controlled allocation. At that point, the application's dangling pointer and the attacker's new allocation reference the same physical memory region. When the vulnerable code then dereferences the original pointer, it is actually reading from or writing to memory that the attacker now controls. In the context of a JavaScript engine inside a browser, this is an extremely powerful primitive: JavaScript provides attackers with fine-grained control over heap layout, allocation timing, and object sizing — precisely the tools needed to win the race to occupy freed memory with attacker-controlled data.

// Conceptual illustration of a use-after-free condition
// NOT specific exploit code for CVE-2023-43000

void* ptr = allocate_webkit_object();   // Allocate a WebKit object
free_webkit_object(ptr);                // Object freed; memory returned to heap
// -- attacker triggers controlled allocation here --
// -- freed region is now occupied by attacker data --
access_webkit_object(ptr);              // UAF: dereferencing stale pointer
                                        // now reads attacker-controlled memory

In the specific context of CVE-2023-43000, the flaw resides in WebKit's rendering pipeline. When the engine processes specially constructed web content — HTML, JavaScript, CSS, or some combination — it triggers an improper object lifecycle sequence. A memory object is freed while a reference to it persists within WebKit's internal state. When WebKit subsequently accesses that stale reference during continued page rendering, the use-after-free condition fires. Apple addressed this with improved memory management, meaning the fix tightened how WebKit tracks object lifetimes to ensure freed objects cannot be dereferenced through surviving references.

Memory Corruption and Arbitrary Code Execution

Memory corruption from a use-after-free can be exploited to achieve arbitrary code execution (ACE). A browser-based ACE means an attacker can run their own code at the privilege level of the browser process — on a mobile device, this is the first stage in an exploit chain that may ultimately lead to full device compromise, data exfiltration, and persistent surveillance.

CVSS average scores for CWE-416 flaws generally range from 7.0 to 9.0, with some reaching the maximum of 10.0 depending on attack complexity and impact scope. Browser-based use-after-free vulnerabilities that require only network access and minimal user interaction typically score toward the high end of that range because the attack vector is remote, no privileges are required on the target, and the potential for full code execution is real.

Attack Surface: Why WebKit Makes This Worse

WebKit is not simply the engine behind Safari. On iOS and iPadOS, Apple's App Store policies historically required all third-party browsers — Chrome, Firefox, Edge, DuckDuckGo, and every other alternative — to use WebKit as their underlying rendering engine. This means CVE-2023-43000 is not a Safari-only problem on mobile platforms. Any application on an unpatched iPhone or iPad that renders web content, whether a browser, a mail client, a news aggregator, or an enterprise application with an embedded web view, inherits this vulnerability.

On macOS, the exposure is somewhat narrower because non-WebKit browsers exist and are widely used. However, macOS applications that embed WKWebView for in-app web content rendering — a common pattern for settings pages, help documentation, and OAuth login flows — are also potentially exposed on unpatched systems running macOS Ventura versions prior to 13.5.

"Any third-party application that integrates WebKit for HTML processing may also be vulnerable to attacks. This includes enterprise applications, mail clients, and other software that depends on Apple's WebKit engine for rendering web content." — Security researcher analysis, Cyberpress.org

This breadth of exposure is what elevates a WebKit flaw from a browser vulnerability to a platform vulnerability. On iOS, the attack surface is essentially the entire device's relationship with the web. An attacker who controls a malicious webpage — or who is positioned to inject content into a legitimate page through a man-in-the-middle or supply chain attack — can trigger CVE-2023-43000 against any unpatched iOS 16 or earlier device, regardless of which browser the user happens to be running.

The exploitation model requires only that the victim visit or be redirected to a page containing the malicious payload. No file download is necessary. No explicit user approval is required. No credentials need to be entered. A single background network request to load crafted content can be sufficient to initiate the memory corruption sequence. This is the reason browser engine vulnerabilities are so highly valued by both commercial spyware vendors and nation-state operators.

The Coruna Exploit Kit: How CVE-2023-43000 Became a Weapon

The exploitation of CVE-2023-43000 did not emerge from independent actors stumbling upon an old Apple advisory. It was documented as a component of Coruna, a sophisticated iOS exploit kit disclosed publicly by Google's Threat Intelligence Group (GTIG) on March 3, 2026 — two days before the CISA KEV addition. GTIG named it "Coruna" after internal labels discovered in a debug instance of the kit that a threat actor accidentally left exposed. The kit contained five full iOS exploit chains built from 23 individual exploits, with some using non-public exploitation techniques and mitigation bypasses. The documentation within the kit featured extensive docstrings and comments written in native English, indicating a professionally developed commercial product.

GTIG tracked Coruna across three distinct threat actor ecosystems throughout 2025. The first observation came in February 2025, when researchers captured parts of an iOS exploit chain used by a customer of an unnamed commercial surveillance vendor. The second appearance was in summer 2025 — specifically July 2025 — when the same JavaScript framework appeared hosted on cdn.uacounter[.]com, loaded as a hidden iFrame on compromised Ukrainian websites spanning industrial equipment, retail, local services, and e-commerce. GTIG attributed this campaign to UNC6353, a suspected Russian espionage group. Critically, during this phase the framework was delivered only to iPhone users from a specific geolocation — not indiscriminately to all visitors. GTIG alerted Ukraine's CERT-UA, which assisted in cleaning up the compromised sites. During this phase, researchers recovered WebKit RCE exploits including CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000.

"How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits. Multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities." — Google Threat Intelligence Group, March 3, 2026
From Surveillance to Mass Financial Crime

The Coruna exploit kit's trajectory illustrates a critical pattern: capabilities developed for targeted surveillance proliferate into mass criminal campaigns. In December 2025, the kit moved to UNC6691, a financially motivated threat actor operating from China, which deployed it across a network of fake Chinese financial and cryptocurrency websites with no geolocation filtering — meaning any vulnerable iPhone visiting those pages was at risk. Mobile security firm iVerify independently discovered and reverse-engineered the same toolkit, tracking it under the name CryptoWaters. iVerify described the campaign as the first observed mass exploitation of iOS devices by a financially motivated criminal group.

"Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations. Furthermore, it confirms what iVerify has long argued: the mobile threat landscape is not standing still, and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users." — iVerify, March 2026

UNC6691's use of Coruna had a specific payload objective: cryptocurrency theft. The implant GTIG deployed at the end of the exploit chain is tracked as PlasmaLoader (also called PLASMAGRID). It injected itself into powerd, a daemon running as root on iOS, and was designed to decode QR codes from images and retrieve additional modules from an external server. GTIG's analysis found the implant hooks into at least 18 cryptocurrency wallet applications including MetaMask, Phantom, Exodus, Uniswap, Bitget Wallet, and Base, enabling exfiltration of wallet credentials and seed phrases. The implant also scanned Apple Memos for text matching BIP39 word sequences and keywords such as "backup phrase" and "bank account," with stolen data encrypted using AES before being sent to command-and-control servers. The implant injected itself into both powerd and imagent — two system-level iOS processes — using com.apple.assistd as its masquerading identifier, making it difficult to detect through process enumeration alone. The implant also embedded a custom domain generation algorithm (DGA) seeded with the string "lazarus" to generate fallback C2 domains if primary command-and-control servers were unavailable. Code comments within the implant were written in Chinese, and some appeared to have been generated by a large language model.

The fake websites used to deliver the exploit in UNC6691's campaign impersonated legitimate cryptocurrency exchanges and financial platforms. A documented example was a spoofed version of WEEX, a legitimate crypto trading platform, which displayed prompts encouraging users to visit from an iPhone. When accessed via iOS, a hidden iFrame silently delivered the exploit kit. The kit's fingerprinting module first identified the iPhone model and iOS version, then delivered the matching WebKit RCE exploit followed by a pointer authentication code (PAC) bypass.

CVE-2023-41974 and the Kernel Escalation Layer

CVE-2023-41974: iOS and iPadOS only. A use-after-free enabling kernel-level arbitrary code execution (privilege escalation). Codenamed "Parallax" within the Coruna kit. Patched in iOS 17 and iPadOS 17 (September 2023) — not in iOS 16.6. CISA KEV: March 5, 2026.

CVE-2023-43000: macOS Ventura, iOS, iPadOS, and Safari. A use-after-free enabling memory corruption and arbitrary code execution in the browser/WebKit process context. Codenamed "terrorbird" within the Coruna kit. Patched in macOS Ventura 13.5, iOS/iPadOS 16.6, Safari 16.6 (July 2023). CISA KEV: March 5, 2026.

These two CVEs do not share the same patch timeline. CVE-2023-43000 was addressed in July 2023; CVE-2023-41974 required the iOS 17 update released in September 2023. Both were added to the KEV catalog simultaneously following the Coruna disclosure. CVE-2021-30952 — the third Apple CVE added in the same March 5 KEV update, codenamed "buffout" in the Coruna kit — is an integer overflow in WebKit patched in iOS 15.2. CISA's co-listing reflects that all three are actively weaponized within the same framework, with CVE-2023-43000 providing browser-level code execution, CVE-2023-41974 providing a potential kernel-level escalation path, and CVE-2021-30952 targeting older iOS 15 devices.

Two exploits within the Coruna framework — internally named Photon and Gallium — exploit vulnerabilities that were previously used as zero-days in Operation Triangulation, a high-profile iOS espionage campaign uncovered by Kaspersky in June 2023. In that campaign, Russia's FSB claimed the operation was the work of the U.S. National Security Agency, alleging it targeted thousands of Apple devices belonging to domestic subscribers and foreign diplomats. Following the Coruna disclosure, some researchers publicly raised questions about potential U.S. government involvement given the vulnerability overlap. GTIG itself made no attribution claims connecting Coruna to U.S. government activity.

Kaspersky GReAT's Boris Larin argued that shared vulnerability targets do not imply shared authorship: both CVEs have publicly available implementations, meaning any capable team could develop independent exploits without access to the original Triangulation code. Larin stated Kaspersky found "no evidence of actual code reuse" to support attributing Coruna to the same authors. — Boris Larin, Principal Security Researcher, Kaspersky GReAT (via The Register, March 2026)

The shared vulnerabilities reflect that both kits target the same iOS attack surface, not necessarily common authorship. Their reuse in Coruna demonstrates how threat actors build on the same publicly-known vulnerability landscape, extending the operational life of flaws that predate their public CVE assignments by years.

"GTIG's writeup is notable precisely because it shows surveillance-grade exploit chains moving from targeted use to broad-scale criminal campaigns." — Gautam Goel, Senior Analyst, Everest Group (via CSO Online)

CISA's KEV Addition and What It Forces

The CISA Known Exploited Vulnerabilities catalog was established under Binding Operational Directive BOD 22-01, issued in November 2021. The directive created a formal, legally binding remediation framework for Federal Civilian Executive Branch agencies: when CISA adds a CVE to the KEV catalog, FCEB agencies must remediate by the listed due date or document an approved exception. For CVE-2023-43000, the federal remediation deadline is March 26, 2026 — 21 days from the March 5 KEV addition date.

The proximate cause of the KEV addition was Google GTIG's March 3, 2026 disclosure of the Coruna exploit kit. CISA's March 5 KEV update added three of the CVEs documented in the Coruna research — CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 — along with two unrelated entries for legacy Hikvision and Rockwell infrastructure. SecurityWeek noted at the time that there had been no public reports of exploitation of CVE-2023-43000 before the Coruna disclosure, making the GTIG research the first documented confirmation of active weaponization.

Critically, CISA itself emphasizes that KEV is not only a federal compliance instrument. The agency "strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice." The practical implication: KEV status means a vulnerability has crossed from theoretical risk to confirmed exploitation. Organizations that deprioritize KEV-listed CVEs are knowingly accepting risk against attack vectors that adversaries are actively weaponizing.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." — CISA, March 5, 2026 KEV alert for CVE-2023-43000

The March 5, 2026 KEV update also refreshed the CVE's NVD record with a new timestamp. This administrative detail matters for any automated vulnerability management platform that ingests NVD feeds: the record has been updated to reflect KEV status, which means scanner results and risk scoring models that consume NVD data should now reflect elevated priority for this CVE even on devices that were assessed as low priority prior to the KEV designation.

For enterprises managing Apple device fleets through mobile device management solutions, the KEV addition triggers several practical requirements. Inventory queries should immediately identify any macOS Ventura systems running versions earlier than 13.5 and any iOS or iPadOS devices running versions earlier than 16.6. MDM-enforced update policies should be reviewed and tightened if they allow extended deferral windows that would place remediation past March 26, 2026 for covered organizations.

Detection and Indicators of Compromise

CVE-2023-43000 is a memory corruption vulnerability exploited during browser rendering. It does not produce the kind of easily observable network signatures or file-system artifacts that traditional signature-based detection tools excel at catching. However, the Coruna exploit kit's documented delivery mechanics provide defenders with more specific detection signals than a generic UAF analysis would suggest.

The Coruna framework begins with a JavaScript fingerprinting module that silently collects device model, iOS version, and security configuration data before selecting and delivering the appropriate WebKit exploit. This fingerprinting phase generates network traffic that — in retrospect — can be identified in proxy and DNS logs as anomalous JavaScript execution originating from iFrame-embedded subresources on otherwise normal-looking pages. The kit was delivered exclusively via hidden iFrames, either on fake websites (UNC6691 campaign) or on legitimate sites that had been compromised and silently modified (UNC6353/Ukrainian campaign). Defenders with proxy telemetry covering iOS user agents should look for iFrame-sourced JavaScript requests to domains with no prior reputation, particularly from financial and crypto-related browsing sessions.

At the process level, defenders should monitor for WebKit process crashes accompanied by memory access violation errors or abnormal stack traces in system diagnostic logs. Apple's crash reporting infrastructure, accessible through Console.app on macOS, captures these events. On iOS and iPadOS, device management platforms with diagnostic log access can surface WebKit crashes at scale across a managed fleet. A cluster of WebKit crashes across multiple devices visiting similar domains or within a short time window warrants immediate investigation.

Post-exploitation indicators from the Coruna payload (PlasmaLoader/PLASMAGRID) include injection into both the powerd and imagent daemons using com.apple.assistd as a masquerading identifier, outbound connections to hard-coded C2 addresses, and DNS lookups to algorithmically generated .xyz domains derived from the seed string "lazarus." iVerify's independent analysis identified additional forensic persistence artifacts: evidence of infection can be found in Safari's browser history, in OSAnalyticsADDaily.plist, in DataUsage.db and NetUsage.db (accessible only on the full file system), and in Powerlogs. The infection URL may also persist in encrypted iTunes backups. iVerify further noted that the implant spawns dedicated threads with specific dispatch queue names — including plasma_supervisor and com.plasma.heartbeat.callback — which can appear in stack files within iOS Analytics, crash logs, or a spindump inside sysdiagnose. Mobile threat defense (MTD) solutions that monitor process injection and daemon-level behavioral anomalies are better positioned to detect this payload than traditional network-only monitoring.

# macOS: Review WebKit crash logs for memory corruption signatures
log show --predicate 'process == "com.apple.WebKit.WebContent"' \
         --info --last 7d | grep -i "EXC_BAD_ACCESS\|KERN_INVALID_ADDRESS"

# macOS: List recent Safari diagnostic reports
ls -lt ~/Library/Logs/DiagnosticReports/ | grep -i "Safari\|WebContent"

# MDM / endpoint query: Identify unpatched macOS Ventura versions
# (adapt to your MDM query language)
# SELECT * FROM devices WHERE os_version < '13.5' AND os_name = 'macOS Ventura'

# iOS MDM: Flag devices below minimum iOS version
# SELECT * FROM devices WHERE os_version < '16.6' AND platform = 'iOS'

The absence of detected crashes is not a clean bill of health. Sophisticated exploit chains targeting WebKit can include stability mitigations that prevent crashes even during successful exploitation. Detection confidence against skilled adversaries using this class of vulnerability requires layered telemetry combining process behavior, network activity, and crash data — not any single signal in isolation. The Coruna framework's use of PAC bypasses and reusable exploitation modules means its techniques extend beyond CVE-2023-43000 specifically; organizations that detect activity consistent with Coruna should treat it as a potential multi-stage compromise rather than a single-vulnerability event.

Remediation: What to Do Right Now

Apple released the patches for CVE-2023-43000 in July 2023. The fix is available in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6. Subsequent releases build on top of these patches, so any device running a current or post-July-2023 Apple OS release is protected against this specific CVE. The remediation action is simply: update to the relevant versions or newer. CISA's required action mirrors Apple's advisory recommendation directly: apply mitigations per vendor instructions.

For organizations that cannot immediately update all devices, CISA's BOD 22-01 guidance provides an alternative path: follow applicable guidance for cloud services, or discontinue use of the product if mitigations are unavailable. In practical terms, the middle path for enterprise environments with update constraints is to treat the affected device population as a higher-risk segment, restrict their access to sensitive network resources, apply web filtering to reduce exposure to untrusted content, and accelerate update timelines.

  1. Update macOS Ventura devices to version 13.5 or later (Settings > General > Software Update on device, or through MDM push policy). Devices already on macOS Sonoma or Sequoia are not affected by this CVE.
  2. Update iOS and iPadOS devices to version 16.6 or later for CVE-2023-43000 specifically. For full protection against the Coruna exploit kit — which includes exploits targeting iOS 17.2.1 — GTIG recommends updating to iOS 17.3 or later, as that is the version beyond which Coruna's chains are no longer effective. Devices that cannot run iOS 16 (older hardware) should be evaluated for replacement if they remain in production use processing sensitive data.
  3. Update Safari to version 16.6 or later on any macOS system where Safari is in use and the operating system has not been updated. Safari updates can sometimes be applied independently of the full OS update cycle on macOS.
  4. Audit third-party iOS applications with embedded WebKit views for any business-critical workflow that might be exposed. Even if end users have updated their browsers, internal enterprise applications using older SDK builds may warrant developer-level patching review.
  5. Review MDM policies to ensure update deferrals do not extend past March 26, 2026 for any device covered by BOD 22-01, and to minimize deferral windows for all managed Apple devices regardless of federal compliance scope.
  6. Enable Apple Lockdown Mode on high-risk devices. GTIG's analysis of the Coruna exploit kit confirmed that the framework terminates its exploitation sequence when Lockdown Mode is active. The kit also aborts when private browsing mode is detected, providing a secondary behavioral signal and a partial interim measure for standard users. For journalists, executives, legal staff, activists, diplomats, or any user who may be a target of sophisticated or nation-state-grade attacks, enabling Lockdown Mode is a substantive protective measure against this class of WebKit exploit. Lockdown Mode restricts certain web technologies and JavaScript features that exploit kits rely on. It is not recommended for general use due to functionality trade-offs, but for high-risk users on devices that cannot immediately be updated, it is the most effective interim mitigation available.
  7. Enable automatic security updates on all Apple devices in the organization. Apple's automatic update mechanism delivers patches for critical WebKit vulnerabilities through Rapid Security Responses and standard OS updates. Disabling automatic updates increases the window of exposure for future CVEs of this class.

Organizations that have deployed older iPhone or iPad models no longer receiving iOS 16 updates face a harder remediation question. Devices stuck on iOS 15 or earlier cannot receive the patches that address CVE-2023-43000 and should not be used to access untrusted web content. For environments where device replacement is not immediately feasible, network segmentation, web content filtering at the proxy layer, and prohibition of general-purpose web browsing on these devices are the primary risk reduction options available.

Key Takeaways

  1. CVE-2023-43000 is a confirmed component of the Coruna iOS exploit kit: Google's Threat Intelligence Group disclosed Coruna on March 3, 2026 — a framework containing 23 exploits across five iOS exploit chains. CVE-2023-43000 appeared as one of the WebKit RCE exploits in at least two of the kit's deployment campaigns. CISA's March 5, 2026 KEV addition followed directly from that disclosure. This is no longer theoretical risk: the vulnerability has a documented exploit, documented threat actors, and documented victims.
  2. The attack vector is passive browsing: No file download, no application installation, and no credential entry is required to trigger this vulnerability. The Coruna kit used hidden iFrames on compromised and fake websites to silently deliver the exploit to any vulnerable iPhone that loaded the page. A user simply needs to visit a page containing malicious web content on an unpatched Apple device.
  3. WebKit's reach on iOS makes this a platform-wide issue: On iOS and iPadOS, every browser and many applications use WebKit. An unpatched iPhone is vulnerable regardless of which browser the user runs. Remediation requires OS-level patching, not just browser updates.
  4. The kit passed through three distinct threat actor ecosystems in under a year: From a commercial surveillance vendor customer (February 2025), to Russian espionage group UNC6353 targeting Ukrainian websites via geolocation-filtered delivery (July 2025), to Chinese financially motivated group UNC6691 targeting cryptocurrency users in fake financial websites with no geolocation filtering — meaning any vulnerable iPhone was at risk (December 2025). This progression shows how sophisticated capabilities proliferate from commercial surveillance tools into nation-state operations and ultimately mass criminal campaigns.
  5. Lockdown Mode blocks the kit: GTIG confirmed that the Coruna exploit kit terminates when Apple Lockdown Mode is active. The kit also aborts when private browsing mode is detected. For high-risk users who cannot immediately patch, enabling Lockdown Mode is a documented and effective interim mitigation against this class of attack.
  6. Patching is available and has been available since July 2023: Apple released fixes in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6. Any device already running later OS versions is protected. The remediation path is straightforward: update.

The gap between Apple's July 2023 patch and CISA's March 2026 KEV designation for CVE-2023-43000 illustrates a pattern the Coruna disclosure makes concrete: vulnerabilities do not expire after a patch is released, and CVEs do not become irrelevant simply because they lack NVD enrichment. CVE-2023-43000 spent more than two years without a public NVD record, without a CVSS score, and without significant industry attention — while threat actors were quietly incorporating it into one of the most sophisticated iOS exploit kits ever documented. The KEV catalog exists precisely to surface that gap. Organizations that treat KEV as a federal compliance checkbox rather than a threat signal are accepting risk against attack vectors that adversaries are already weaponizing against real targets.

Sources

  1. CISA. (March 5, 2026). CISA Adds Five Known Exploited Vulnerabilities to Catalog. cisa.gov
  2. CISA. Known Exploited Vulnerabilities Catalog — CVE-2023-43000. cisa.gov/known-exploited-vulnerabilities-catalog
  3. Google Threat Intelligence Group. (March 3, 2026). Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit. cloud.google.com
  4. National Vulnerability Database. (Published November 5, 2025; Updated March 5, 2026). CVE-2023-43000 Detail. nvd.nist.gov
  5. Apple Inc. (July 24, 2023; security notes updated November 11, 2025). About the security content of macOS Ventura 13.5. support.apple.com/en-us/120331
  6. Apple Inc. (July 24, 2023; security notes updated November 11, 2025). About the security content of iOS 16.6 and iPadOS 16.6. support.apple.com/en-us/120338
  7. Apple Inc. (July 24, 2023). About the security content of Safari 16.6. support.apple.com/en-us/120324
  8. MITRE Corporation. CWE-416: Use After Free. cwe.mitre.org
  9. Toulas, B. (March 5, 2026). Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks. BleepingComputer. bleepingcomputer.com
  10. SecurityWeek. (March 5, 2026). CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List. securityweek.com
  11. Zorz, Z. (March 3, 2026). Coruna: Spy-grade iOS exploit kit powering financial crime. Help Net Security. helpnetsecurity.com
  12. ZeroPath. (November 5, 2025). WebKit Use After Free in Apple Platforms (CVE-2023-43000): Brief Summary and Technical Details. zeropath.com
  13. The Hacker News. (March 5, 2026). Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1. thehackernews.com
  14. Windows Forum. (March 2026). CISA KEV Update: Five New Exploited CVEs Across IoT, ICS, and Apple. windowsforum.com
  15. MacRumors. (July 24, 2023). iOS 16.6, macOS Ventura 13.5, and Other Updates Patch Actively Exploited Vulnerabilities. macrumors.com
  16. Larin, B. (March 5, 2026). Statement to The Register re: Coruna/Operation Triangulation attribution. Kaspersky GReAT. Reported in: Bisson, S. Kaspersky: No signs Coruna iPhone exploit kit made by US. The Register. theregister.com
  17. Weiss, A. (March 5, 2026). 3 Apple flaws from Coruna exploit kit added to CISA vulnerability list. SC Media. scworld.com
  18. Kovacs, E. (March 4, 2026). Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks. SecurityWeek. securityweek.com
  19. CSO Online. (March 4, 2026). Coruna iOS exploit kit moved from spy tool to mass criminal campaign in under a year. csoonline.com
  20. iVerify. (March 3, 2026). Coruna: Inside the Nation-State-Grade iOS Exploit Kit We’ve Been Tracking. iverify.io
Back to all articles