Coruna can also be notable for its use by three distinct hacking teams. Google first detected its use in February of final yr in an operation carried out by a “buyer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in assaults planted on web sites that had been frequented by Ukrainian targets. Final December, when it was utilized by a “financially motivated menace actor from China,” Google was in a position to retrieve the entire exploit package.
“How this proliferation occurred is unclear, however suggests an energetic marketplace for ‘second hand’ zero-day exploits,” Google wrote. “Past these recognized exploits, a number of menace actors have now acquired superior exploitation methods that may be re-used and modified with newly recognized vulnerabilities.”
Google researchers went on to put in writing:
We retrieved all of the obfuscated exploits, together with ending payloads. Upon additional evaluation, we seen an occasion the place the actor deployed the debug model of the exploit package, leaving within the clear all the exploits, together with their inside code names. That’s once we realized that the exploit package was probably named Coruna internally. In whole, we collected a couple of hundred samples masking a complete of 5 full iOS exploit chains. The exploit package is ready to goal varied iPhone fashions operating iOS model 13.0 (launched in September 2019) as much as model 17.2.1 (launched in December 2023).
The 23 exploits, together with the code names and different data, are:
| Kind | Codename | Focused variations (inclusive) | Mounted variations | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is including solely three of the CVEs to its catalog. They’re:
- CVE-2021-30952 Apple A number of Merchandise Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000 Apple A number of merchandise Use-After-Free Vulnerability
CISA is directing businesses to “apply mitigations per vendor directions, observe relevant… steerage for cloud providers, or discontinue use of the product if mitigations are unavailable.” The company went on to warn: “These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise.”
