CISA Orders Federal Agencies to Remediate DarkSword iOS Vulnerabilities by April 3, 2026
WASHINGTON | The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive requiring federal civilian agencies to address three critical vulnerabilities in Apple’s iOS by April 3, 2026. This order, while procedural in nature, highlights a more complex and alarming cybersecurity landscape. The vulnerabilities, collectively referred to as DarkSword by researchers at Google, have been linked to sophisticated exploit chains utilized by various threat actors for surveillance, data theft, and geopolitical targeting.
The vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog—CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520—are part of a broader exploit framework that leverages six distinct flaws. These flaws affect iPhones running iOS versions 18.4 through 18.7, enabling attackers to escape application sandboxes, elevate their privileges, and execute malicious payloads with full kernel access. Google has confirmed that Apple has addressed these vulnerabilities in recent software updates, with a comprehensive fix included in iOS 26.3.
A Federal Deadline and a Larger Warning
CISA’s directive falls under Binding Operational Directive 22-01, which mandates federal agencies to remediate vulnerabilities that are believed to be actively exploited. The agency has emphasized that these vulnerabilities are frequent attack vectors, posing significant risks to federal operations. While the order specifically targets federal agencies, its implications extend to a broader audience, signaling that the exploitation of these vulnerabilities has transitioned from theoretical to practical application.
For security teams, the directive shifts the focus from whether to patch vulnerabilities to how quickly they can implement fixes without leaving devices exposed. This urgency is underscored by the fact that the vulnerabilities are not just theoretical concerns; they have been actively exploited in the wild.
For non-government Apple users, the message is equally clear. Google has urged users to update their devices to the latest iOS version and recommended enabling Lockdown Mode where updates are not feasible. The collaborative investigation by iVerify, Lookout, and Google into the DarkSword delivery infrastructure has underscored the rapid diffusion of nation-state-grade mobile exploitation techniques into broader operational contexts.
The Anatomy of an iPhone Break-In
According to Google’s technical analysis, DarkSword represents a complete exploit chain constructed entirely in JavaScript. This design choice allows it to interact with native interfaces and exploit iOS internals without relying on unsigned binary payloads. The exploit chain utilizes six vulnerabilities, including two memory corruption bugs in JavaScriptCore, a bypass for Apple’s pointer authentication protections in dyld, a memory corruption flaw in ANGLE, and two kernel-level bugs that facilitate full device control.
The vulnerabilities involved include CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. Some of these vulnerabilities were reportedly used as zero-days, creating a pathway from malicious web content to complete compromise of vulnerable iPhones. Unlike older exploit kits that targeted a wider range of operating systems, DarkSword is specifically tailored for iOS versions 18.4 through 18.7, indicating a focused and modular development cycle.
The malware families associated with DarkSword serve various purposes. Google identified three distinct families: GHOSTBLADE, a JavaScript infostealer; GHOSTKNIFE, a backdoor capable of exfiltrating large volumes of data; and GHOSTSABER, a script that can execute code while stealing information. iVerify noted that one version of the exploit specifically targeted devices in Ukraine running iOS versions 18.4 to 18.6.2.
From Spyware Market to Multipurpose Weapon
The broader implications of DarkSword lie in its distribution. Google has characterized the exploit chain as an example of advanced capabilities proliferating among disparate actors, echoing the earlier Coruna platform. DarkSword has reportedly been employed by a mix of commercial surveillance vendors and suspected state-sponsored groups, including UNC6748 and UNC6353. This proliferation suggests that the market for elite mobile exploits is no longer limited to a single vendor-client relationship.
For instance, UNC6748, identified as a customer of the Turkish commercial surveillance vendor PARS Defense, utilized a Snapchat-themed lure site to target users in Saudi Arabia. Meanwhile, UNC6353, a suspected Russian espionage actor, deployed DarkSword in watering-hole attacks against individuals visiting compromised Ukrainian websites related to e-commerce and local services. Lookout, which assisted in uncovering the infrastructure, indicated that DarkSword was being used in campaigns aligned with Russian intelligence objectives and also by actors with financial motives.
This duality—espionage on one side and financially motivated theft on the other—highlights the evolving nature of mobile exploit chains. Once a mobile exploit reaches a certain level of sophistication, it can become a flexible tool, adaptable for both political and criminal objectives.
The Quiet Vulnerability of the Modern Phone
Historically, smartphones have been viewed as secondary in the cybersecurity landscape—important but not central. This perception is shifting, and the emergence of DarkSword underscores this change. iVerify estimates that up to 270 million devices may have been running vulnerable versions of iOS, marking this incident as the second mass iOS attack disclosed within a short time frame. The warning extends beyond the need for patching; it emphasizes the challenge of detecting subtle mobile compromises in environments that prioritize monitoring laptops, servers, and cloud systems over mobile devices.
CISA’s order signifies a recognition that iPhones—long marketed as the most secure mainstream consumer devices—are now firmly embedded within the threat models of state actors, surveillance vendors, and financially motivated attackers. While federal agencies have until April 3 to respond, the global community is similarly cautioned: update now, or risk exposing devices that may have become more vulnerable than users realize.
For further details, refer to the reporting by the420.in.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
