What Happened
Between February and late 2025, threat actors deployed Coruna—an iOS exploit kit containing five complete exploit chains and 23 individual exploits—against targets ranging from iPhone models running iOS 13.0 through iOS 17.2.1. Google's Threat Intelligence Group (GTIG) and iVerify researchers documented the kit's evolution from espionage tooling to a commercial-grade weapon used in financially motivated attacks. This trend shows sophisticated zero-day chains, once exclusive to nation-state actors, now circulating in second-hand markets and being repurposed for financial crime.
Timeline
February 2025: First observed deployment of Coruna in the wild
Throughout 2025: Multiple campaigns detected using the kit for both espionage and financial crime
Late 2025: GTIG and iVerify publish detailed analysis of the exploit chains
The timeline reveals a pattern: a mature secondary market where yesterday's espionage tools become tomorrow's banking trojans.
Which Controls Failed or Were Missing
Patch Management Velocity
The affected iOS versions span four major releases. Organizations allowed devices running iOS 13.0 (released in 2019) to remain in production environments accessing corporate resources. When your patch lag extends to multi-year gaps, you're not managing technical debt—you're operating a museum of known vulnerabilities.
Device Inventory and Access Control
If you can't enumerate which iOS versions are accessing your network, you can't enforce minimum security baselines. The organizations hit by Coruna-based attacks lacked basic visibility into mobile device versions connecting to sensitive systems. This isn't a mobile device management (MDM) deployment failure—it's a failure to treat mobile endpoints as critical infrastructure.
Threat Intelligence Integration
GTIG documented 23 distinct exploits in this kit. That's 23 CVEs your vulnerability management process should have flagged, prioritized, and remediated. The failure wasn't ignorance—the patches existed. The failure was treating mobile OS updates as a user convenience rather than a security imperative.
Privilege and Access Segmentation
Devices running outdated operating systems were granted the same network access as current-patch endpoints. No conditional access policies. No network segmentation based on device posture. When an exploit chain compromised a device, it had lateral movement paths that shouldn't have existed.
What the Relevant Standards Require
NIST Cybersecurity Framework v2.0 (ID.AM-1, ID.AM-2) mandates maintaining inventories of authorized devices and software platforms. You must know what's connecting to your network and what versions they're running. "We think most people are updated" isn't an inventory.
NIST 800-53 Rev 5 (SI-2: Flaw Remediation) requires organizations to install security-relevant software updates within defined timeframes based on risk. For mobile operating systems accessing corporate data, multi-year patch gaps violate the control's intent. The standard explicitly calls for tracking and remediating known vulnerabilities—not just on servers, but on all platforms processing organizational information.
ISO/IEC 27001:2022 (Annex A 8.8: Management of technical vulnerabilities) requires identifying technical vulnerabilities, evaluating exposure, and taking appropriate measures. When Apple publishes iOS security updates, those updates document the vulnerabilities. Leaving devices unpatched for years represents a documented failure to manage known risks.
PCI DSS (Requirement 6.3.3) requires security patches for all system components within one month of release, or documenting risk-based decisions for longer timeframes. If your organization processes payment data and allows iOS 13 devices near that environment, you're likely non-compliant. The requirement doesn't exempt mobile endpoints.
The standards require not just patching—they require knowing what needs patching and proving you've done it.
Lessons and Action Items for Your Team
Establish Mobile OS End-of-Life Policies
Define maximum age for mobile operating systems accessing corporate resources. Two major versions behind current is a reasonable baseline. iOS 13 devices should have been blocked from corporate access when iOS 15 shipped—not when exploit kits targeting iOS 13 appeared in the wild.
Implement Conditional Access Based on Device Posture
Your identity provider should enforce OS version minimums before granting access tokens. If a device reports iOS 14, it doesn't get email, doesn't get VPN, doesn't get SSO to internal apps. This isn't punitive—it's basic hygiene. Azure AD, Okta, and Google Workspace all support this. Use it.
Inventory Mobile Devices Monthly
Pull reports from your MDM showing OS versions for every enrolled device. Graph the distribution. If you see devices more than two major versions behind, those are your exposure points. Track them like you track unpatched servers, because they represent equivalent risk.
Segment Network Access by Device Trust Level
Devices that can't or won't update should be relegated to restricted network segments with minimal access to sensitive resources. This is especially critical for BYOD programs where you can't force updates. The device can exist—it just can't touch your financial systems.
Monitor for Exploit Indicators
iVerify published detection advice for Coruna-triggered infections. Your mobile threat defense tools should be ingesting these indicators. If you're not running mobile threat defense, understand that sophisticated exploit kits now target iOS with the same vigor they've targeted Android for years.
Budget for Device Refresh Cycles
Some organizations can't update because they're running devices that Apple no longer supports. If your iPhone 6s fleet is blocking your security program, that's a capital expenditure problem, not a security problem. Document the risk, quantify the exposure, and get it in front of whoever controls hardware budgets.
The Coruna kit demonstrates that patched vulnerabilities don't disappear—they become commodities in a secondary market serving financially motivated attackers. Your patch management program needs to account for this reality. The exploits targeting iOS 13 aren't theoretical. They're packaged, productized, and actively deployed for financial gain.
Every device running an outdated OS is a potential entry point. Treat it accordingly.
