Apple Issues Emergency Security Update for Legacy iPhone/iPad Devices to Patch Coruna-Exploited WebKit Flaw

Event Overview

Apple announced an emergency security update for a range of older iOS devices that cannot upgrade to iOS 17.2 or later. The update back‑ports a fix originally shipped with iOS 17.2 on 2023‑12‑11 for the high‑severity WebKit vulnerability CVE‑2023‑43010, which was actively exploited by the Coruna exploit kit.

Affected Devices and Versions

The update applies to the following devices and OS versions:

iOS 15.8.7 / iPadOS 15.8.7 for iPhone 6s (all variants), iPhone 7 (all variants), first‑generation iPhone SE, iPad Air 2, iPad mini 4, and seventh‑generation iPod touch.

iOS 16.7.15 / iPadOS 16.7.15 for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th gen, iPad Pro 9.7‑inch, and first‑generation iPad Pro 12.9‑inch.

Details of the Fixed Vulnerabilities

CVE‑2023‑43010 is the core issue addressed. It is a memory‑corruption bug in WebKit that can be triggered by visiting a maliciously crafted webpage in Safari, potentially leading to arbitrary code execution.

In addition, the iOS 15.8.7 / iPadOS 15.8.7 update includes patches for three other WebKit‑related CVEs that were also linked to the Coruna exploit kit:

CVE‑2023‑43000 (iOS 16.6) – Use‑after‑free leading to code execution.

CVE‑2023‑41974 (iOS 17) – Use‑after‑free enabling kernel privilege escalation to root.

CVE‑2024‑23222 (iOS 17.3) – Type confusion allowing arbitrary code execution.

Coruna Exploit Kit Deep Dive

The Coruna kit contains 23 independent exploits organized into five attack chains, covering iOS 13.0 through 17.2.1. It provides a full path from browser sandbox escape to kernel privilege escalation and is considered one of the most complex iOS exploit frameworks observed.

Two of the exploits in Coruna reuse vulnerabilities previously weaponized in the Operation Triangulation APT campaign (CVE‑2023‑32434 and CVE‑2023‑38606). According to Kaspersky’s senior security researcher Boris Larin, while the same vulnerabilities appear, there is insufficient evidence to attribute Coruna to any known APT group, and the reports from Google and iVerify do not claim code reuse.

"Although we have conducted in‑depth research, we cannot attribute Operation Triangulation to any known APT organization or exploit development company. Google and iVerify’s reports do not claim Coruna reuses Triangulation’s code; they only note that two vulnerabilities target the same flaws. Attribution based solely on similarity is insufficient," – Boris Larin, Kaspersky.

Security Recommendations

For Individual Users

Update immediately: install iOS 17.2 or later if your device supports it; otherwise apply the released iOS 15.8.7 or iOS 16.7.15 update.

Verify device compatibility before updating.

Avoid visiting untrusted webpages or clicking unknown links, especially shortened URLs.

Enable automatic updates in Settings to ensure you receive future patches promptly.

For Enterprise Users

Maintain an inventory of legacy devices that require special maintenance.

Apply additional network access controls for devices that cannot be updated.

Strengthen Mobile Device Management (MDM) policies.

Provide threat‑intel training on the Coruna exploit kit for security teams.

Conclusion

The emergency update is significant because it not only patches a vulnerability actively exploited by a sophisticated exploit kit, but also highlights the ongoing threat landscape for mobile devices. While the Coruna framework demonstrates how nation‑state‑level tools can trickle into broader black‑market use, keeping devices up‑to‑date remains the most effective defense for both ordinary users and organizations.