Coruna exploit kit exposes risks for outdated iOS users

A newly analysed iOS exploit kit known as Coruna has drawn attention to the risks facing iPhone and iPad users running older versions of Apple's mobile operating system, particularly iOS 13 through iOS 17.2.1.

Security researchers describe Coruna as a modular toolkit delivered through a malicious website. It checks the device model and software version, then selects an exploit chain built for that target. The approach reflects a wider shift in mobile threats, where attackers combine multiple weaknesses and automate the steps needed to compromise a device.

Apple has patched many of the vulnerabilities referenced by researchers in current iOS releases. Risk remains for users who have not installed updates or who use devices that cannot upgrade beyond older versions.

The discussion comes as Apple has adjusted version numbering across its operating systems. Numbering now aligns across product lines, and iOS has moved beyond the sequence that previously ended with iOS 18. That change could confuse some users and organisations when checking whether devices are supported and receiving security fixes.

Exploit chains

Coruna reportedly combines 23 vulnerabilities into five exploit chains for iOS 13 through iOS 17.2.1. The chains are designed to break through multiple layers of platform security, including sandboxing and privilege restrictions.

Once an attacker gains control, the device can become a stepping stone into wider systems. A compromised handset can expose stored information and communications, and provide access to tokens and credentials that keep users signed into corporate applications.

These techniques are not new, but automation changes the scale and speed of attacks. Mobile threats have often been associated with highly targeted operations. Tooling that fingerprints devices and deploys a matching exploit chain makes it easier to run campaigns against larger pools of potential victims.

Business risk

For businesses, the most immediate issue is the role phones play in daily work. Many organisations allow staff to access email, messaging tools, document stores, customer systems, and administrative portals from personal or corporate devices. Those devices can hold session tokens that persist after sign-in and reduce how often users must authenticate.

A device-level compromise can also undermine controls used for remote work. Attackers can intercept communications or use a hijacked device to approve authentication requests when the handset acts as a second factor.

Shane Barney, chief information security officer at Keeper Security, said the Coruna analysis underscored how mobile endpoints feature in cyber operations.

"The emergence of 'Coruna,' a sophisticated iOS exploit kit analyzed by security researchers, starkly illustrates how strategically important mobile devices have become in modern cyber operations," said Shane Barney, Chief Information Security Officer, Keeper Security.

Patching limits

Coruna also highlights the limits of patching as a sole line of defence. Even when vendors issue fixes, security teams face deployment delays. Consumers often postpone updates, and organisations may need time to validate releases and manage compatibility across device fleets. Older handsets may also lose support and remain permanently exposed to known vulnerabilities.

Barney framed the response as a mix of software maintenance and identity-and-access design. He argued that mobile security should assume device compromise is possible and limit what an attacker can do next.

"For organizations, the response must be architectural and identity-centric. Rapid patching is essential, but not sufficient. Security leaders should assume that mobile endpoints can be compromised and focus on limiting impact. Strong mobile device management, hardware-backed attestation, strict app governance, and continuous monitoring are critical. Most importantly, identity must be treated as the control plane: enforcing least-privilege access, zero-trust segmentation, and adaptive multi-factor authentication ensures that even if a device is breached, the organization itself remains resilient," said Barney.

Scaling up

Researchers and defenders track exploit kits because techniques spread. As technical write-ups circulate, methods become easier to reproduce. Attackers can also repackage components, swap delivery methods, or combine exploitation with credential theft and social engineering.

"This incident also reinforces a broader reality: modern exploit kits are engineered for scale. Automated fingerprinting, exploit chaining, and modular payload delivery reflect a level of operational maturity that reduces reliance on highly targeted, bespoke attacks. Organisations must therefore prepare for advanced capabilities becoming more widely accessible over time," said Barney.

He added that mobile devices now serve as a direct route into corporate networks and applications.

"Mobile devices are no longer peripheral endpoints-they are privileged gateways into enterprise infrastructure. Securing credentials, session tokens, and privileged access pathways is fundamental to preventing an initial device compromise from escalating into a wider breach," said Barney.