CISA Mandates Federal Agencies to Address DarkSword iOS Vulnerabilities by April 3, 2026
WASHINGTON | The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal civilian agencies remediate three critical vulnerabilities in Apple’s iOS by April 3, 2026. This directive underscores a complex and concerning cybersecurity landscape. The vulnerabilities, known collectively as DarkSword, have been linked to sophisticated exploit chains employed by various threat actors for purposes including surveillance, data theft, and geopolitical targeting.
The vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog—CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520—are part of a broader exploit framework that leverages six distinct flaws. These flaws affect iPhones running iOS versions 18.4 through 18.7, allowing attackers to escape application sandboxes, elevate privileges, and execute malicious payloads with full kernel access. Google has confirmed that Apple has addressed these vulnerabilities in recent software updates, including a comprehensive fix in iOS 26.3.
A Federal Deadline and a Larger Warning
CISA’s directive falls under Binding Operational Directive 22-01, which requires federal agencies to remediate vulnerabilities believed to be actively exploited. The agency has highlighted that these vulnerabilities are common attack vectors, posing significant risks to federal operations. While the order specifically targets federal agencies, its implications extend to a wider audience, indicating that the exploitation of these vulnerabilities has moved from theoretical to practical application.
For security teams, the directive shifts the focus from whether to patch vulnerabilities to how swiftly they can implement fixes without leaving devices exposed. This urgency is emphasized by the fact that these vulnerabilities have been actively exploited in the wild.
For non-government Apple users, the message is equally clear. Google has urged users to update their devices to the latest iOS version and recommended enabling Lockdown Mode where updates are not feasible. A collaborative investigation by iVerify, Lookout, and Google into the DarkSword delivery infrastructure has highlighted the rapid spread of nation-state-grade mobile exploitation techniques into broader operational contexts.
The Anatomy of an iPhone Break-In
According to Google’s technical analysis, DarkSword represents a complete exploit chain constructed entirely in JavaScript. This design choice allows it to interact with native interfaces and exploit iOS internals without relying on unsigned binary payloads. The exploit chain utilizes six vulnerabilities, including two memory corruption bugs in JavaScriptCore, a bypass for Apple’s pointer authentication protections in dyld, a memory corruption flaw in ANGLE, and two kernel-level bugs that facilitate full device control.
The vulnerabilities involved include CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. Some of these vulnerabilities were reportedly used as zero-days, creating a pathway from malicious web content to complete compromise of vulnerable iPhones. Unlike older exploit kits that targeted a wider range of operating systems, DarkSword is specifically tailored for iOS versions 18.4 through 18.7, indicating a focused and modular development cycle.
The malware families associated with DarkSword serve various purposes. Google identified three distinct families: GHOSTBLADE, a JavaScript infostealer; GHOSTKNIFE, a backdoor capable of exfiltrating large volumes of data; and GHOSTSABER, a script that can execute code while stealing information. iVerify noted that one version of the exploit specifically targeted devices in Ukraine running iOS versions 18.4 to 18.6.2.
From Spyware Market to Multipurpose Weapon
The broader implications of DarkSword lie in its distribution. Google has characterized the exploit chain as an example of advanced capabilities proliferating among disparate actors, echoing the earlier Coruna platform. DarkSword has reportedly been employed by a mix of commercial surveillance vendors and suspected state-sponsored groups, including UNC6748 and UNC6353. This proliferation suggests that the market for elite mobile exploits is no longer confined to a single vendor-client relationship.
For instance, UNC6748, identified as a customer of the Turkish commercial surveillance vendor PARS Defense, utilized a Snapchat-themed lure site to target users in Saudi Arabia. Meanwhile, UNC6353, a suspected Russian espionage actor, deployed DarkSword in watering-hole attacks against individuals visiting compromised Ukrainian websites related to e-commerce and local services. Lookout, which assisted in uncovering the infrastructure, indicated that DarkSword was being used in campaigns aligned with Russian intelligence objectives and also by actors with financial motives.
This duality—espionage on one side and financially motivated theft on the other—highlights the evolving nature of mobile exploit chains. Once a mobile exploit reaches a certain level of sophistication, it can become a flexible tool, adaptable for both political and criminal objectives.
The Quiet Vulnerability of the Modern Phone
Historically, smartphones have been viewed as secondary in the cybersecurity landscape—important but not central. This perception is shifting, and the emergence of DarkSword underscores this change. iVerify estimates that up to 270 million devices may have been running vulnerable versions of iOS, marking this incident as the second mass iOS attack disclosed within a short time frame. The warning extends beyond the need for patching; it emphasizes the challenge of detecting subtle mobile compromises in environments that prioritize monitoring laptops, servers, and cloud systems over mobile devices.
CISA’s order signifies a recognition that iPhones—long marketed as the most secure mainstream consumer devices—are now firmly embedded within the threat models of state actors, surveillance vendors, and financially motivated attackers. While federal agencies have until April 3 to respond, the global community is similarly cautioned: update now, or risk exposing devices that may have become more vulnerable than users realize.
As reported by cyberwarriorsmiddleeast.com.
Follow the latest developments and breaking updates in the Latest News section.
Published on 2026-03-23 19:20:00 • By Editorial Desk
