Latest Apple device exploitation #
Several vulnerabilities affecting Apple's device ecosystem have been weaponized into an exploit chain known as DarkSword. These vulnerabilities enable remote code execution and payload deployment when a user visits a malicious website.
This exploit chain is known to have been used by multiple commercial surveillance vendors and suspected state-sponsored actors. In March 2026, the chain and related exploit kit tooling was leaked publicly and is now available for use by a wider range of malicious actors.
While the exploit kit was used to attack iOS, the vulnerabilities are known to have existed in iPadOS, macOS, tvOS, watchOS, and visionOS.
There are 6 vulnerabilities known to be part of the DarkSword exploit chain:
- CVE-2025-14174 - Memory corruption vulnerability in ANGLE, patched in 18.7.3 and 26.2
- CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore, patched in 18.6
- CVE-2025-43510 - Memory management vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
- CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
- CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore, patched in 18.7.3 and 26.2
- CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld, patched in 26.3
What is the impact? #
Upon successful exploitation of the exploits above the attacker is able to compromise the target device and install backdoor software.
Are updates or workarounds available? #
Vulnerable devices should be upgraded 26.3 or later. If the device cannot be updated to 26.3, update to 18.7.3 or later. Both of these updates were released in Feb 2026.
If the device cannot be updated then Lockdown mode can be enabled to mitigate the risk of these vulnerabilities. Lockdown mode is a highly restrictive security mode that may cause some functionality to be limited.
How do I find potentially vulnerable Apple devices with runZero? #
From the Asset Inventory, use the following query to locate assets running potentially vulnerable versions of the affected products:
(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ((osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3"))
