The iOS Exploit Industrial Complex Has Arrived
When the Cybersecurity and Infrastructure Security Agency quietly added three iOS vulnerabilities to its Known Exploited Vulnerabilities catalog in early March 2026, the security community's reaction was not surprise but resignation. The CVEs in question, including CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174, are components of DarkSword, a full-chain iPhone exploit framework that Google's Threat Intelligence Group has tracked across multiple threat actors and at least two continents. Federal agencies now have until April 3 to patch. But the real story is not the vulnerabilities themselves. It is what their trajectory reveals about a fundamental shift in the economics of iOS exploitation: nation-state attack tools are becoming commodities, and the secondary market for iPhone exploits is now mature enough to function like any other supply chain.
From Boutique Craft to Industrial Production
To understand why CISA's latest catalog additions matter, you need to rewind to October 2025, when a U.S. investor consortium acquired a controlling stake in NSO Group, the Israeli firm behind Pegasus spyware. That deal, reportedly worth tens of millions, came with a new chairman (David Friedman, former U.S. ambassador to Israel) and a stated goal of entering the American law enforcement market. NSO had spent four years in regulatory exile after the Commerce Department blacklisted it in November 2021. The acquisition signaled that powerful interests believed the commercial spyware market was not contracting but consolidating.
They were right, but not in the way they expected. While NSO was busy publishing transparency reports and lobbying Washington, the exploit market was fragmenting beneath it. Google's Threat Intelligence Group published two landmark reports in March 2026 that together paint a picture of an industry in rapid, chaotic expansion. The first detailed Coruna, an exploit kit containing 23 exploits across five full attack chains targeting iOS versions 13.0 through 17.2.1. The second dissected DarkSword, a six-vulnerability chain hitting iOS 18.4 through 18.7 with three zero-days.
The critical finding was not the technical sophistication of either toolkit. It was the proliferation pattern. Coruna was first observed in the hands of a commercial surveillance vendor's customer, then appeared in watering hole attacks by UNC6353, a suspected Russian espionage group targeting Ukrainian users. It then surfaced again in broad financial crime campaigns run by UNC6691, a Chinese cybercriminal operation. A spy tool designed for targeted state operations had, within roughly a year, trickled down to criminal groups running mass campaigns. Google's researchers noted that how this proliferation occurred "is unclear, but suggests an active market for second-hand zero-day exploits."
That single sentence deserves to be read as an industry-defining observation. We are no longer in an era where iOS zero-days are bespoke weapons held by a handful of intelligence agencies. They are traded goods with a resale market.
Inside DarkSword: Why This Exploit Chain Is Different
DarkSword deserves particular attention because its architecture represents a new philosophy in iOS exploitation. Traditional exploit chains against Apple devices have relied on compiled native code, kernel extensions, or firmware-level attacks. DarkSword's entire kill chain is written in JavaScript.
This is a profound design choice. By operating entirely within a high-level interpreted environment, DarkSword bypasses two of Apple's most significant modern mitigations: Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM). These are hardware-backed security features that Apple introduced specifically to prevent the kind of kernel-level memory corruption attacks that earlier generations of spyware relied on. DarkSword does not fight these defenses head-on. It routes around them entirely by staying in JavaScript territory, pivoting laterally through process boundaries rather than vertically through privilege escalation.
The chain works in stages. First, a memory corruption vulnerability in JavaScriptCore (CVE-2025-31277 or CVE-2025-43529) provides initial code execution. Then, instead of immediately attempting kernel exploitation, DarkSword escapes the WebContent sandbox by pivoting into the GPU process, a less-protected boundary than the kernel. From the GPU process, it moves laterally again into mediaplaybackd, a media services daemon. Only then does it use a user-mode PAC bypass (CVE-2026-20700, the dyld vulnerability) and kernel memory management flaws to achieve full device compromise.
This lateral movement approach is significant because it targets the weakest links in Apple's process isolation model rather than attacking the strongest defenses directly. It also means DarkSword is unusually portable. JavaScript-based exploit chains can be delivered through any WebKit-rendering context: Safari, in-app browsers, even email previews that trigger WebKit rendering. The attack surface is enormous. According to Google's analysis, approximately 221 million devices running iOS 18.4 through 18.6.2 were vulnerable, representing about 14.2% of Apple's active installed base.
Apple's Structural Disadvantage
Apple's security model has always rested on two pillars: hardware-software integration that makes exploitation expensive, and a walled garden that limits attack surface. Both pillars are showing cracks, and not because Apple's engineering has deteriorated. The problem is structural.
First, the cost curve has inverted. In 2019, Zerodium was publicly offering $2.5 million for a full iOS chain with persistence, a price that reflected genuine scarcity. By 2025, Google's annual zero-day tracking report revealed that commercial spyware vendors had, for the first time, topped the list of entities deploying zero-day exploits, surpassing both nation-state actors and cybercriminal groups. The sheer volume of vendors, including NSO, Intellexa, Cy4Gate, Negg Group, PARS Defense (a Turkish firm linked to DarkSword campaigns), and others, means more teams are hunting iOS bugs simultaneously. Competition among exploit developers has driven innovation in technique while potentially driving down per-exploit pricing through oversupply.
Second, Apple's monoculture is a liability at scale. Every iPhone runs the same operating system on a narrow range of hardware. A single exploit chain can theoretically compromise hundreds of millions of devices. Android's fragmentation, long considered a weakness, is paradoxically a defensive advantage here: an exploit targeting a Samsung Exynos kernel is useless against a Pixel running a different SoC. Apple's uniformity means that one DarkSword serves all targets.
Third, Apple's Lockdown Mode, introduced in iOS 16 as a hardened configuration for high-risk users, remains the company's most effective countermeasure. But it is opt-in, carries significant usability tradeoffs, and Apple has been reluctant to expand its protections to the general user base. The 221 million vulnerable devices were not running Lockdown Mode. Most iPhone users have never heard of it. Apple's security strategy effectively creates a two-tier system: hardened protection for those who know to ask for it, and standard protection for everyone else. The exploit market has noticed this gap.
The Real Threat: Exploit Proliferation, Not Exploit Sophistication
Security discourse tends to fixate on sophistication. The word appears in nearly every advisory Apple publishes ("extremely sophisticated attack against specific targeted individuals" was the phrasing for CVE-2026-20700). But sophistication is the wrong metric. The defining trend of 2025 and 2026 is proliferation.
Coruna's journey, from surveillance vendor to Russian intelligence to Chinese cybercriminals, illustrates a pattern that should alarm every security team. The traditional model assumed that zero-day exploits had short shelf lives: once discovered and patched, they lost value. But the reality is more complex. Even after Apple patches a vulnerability, millions of devices remain unpatched for months or years. Coruna targeted iOS versions up to 17.2.1, which was released in December 2023. In March 2026, when Google published its report, a meaningful percentage of Apple's installed base was still running those versions. Older exploits do not die. They find new, less discriminating buyers.
This creates a cascade effect. A zero-day developed by a well-funded surveillance vendor for targeted espionage gets patched. The exploit's value drops for high-end buyers who need to hit current iOS versions. But it retains significant value for criminal groups targeting the long tail of unpatched devices. The exploit gets resold, possibly multiple times. Each new operator is less sophisticated and less discriminating in targeting. What begins as a surgical tool ends as a blunt instrument swung at millions.
CISA's KEV catalog additions are an attempt to force the patching timeline for federal agencies. But the catalog's real function is as a signal: if CISA adds a vulnerability, it means the agency has credible evidence of exploitation in the wild against U.S. interests. The three iOS CVEs were not added as a precaution. Someone is using them against targets that matter to the U.S. government.
What Builders and Operators Should Do Now
The practical implications of this shift extend well beyond "update your iPhone." Several concrete actions deserve attention.
For enterprise security teams: Mobile threat detection can no longer be optional. DarkSword's delivery mechanism, compromised legitimate websites serving exploit code via WebKit, means that URL filtering and network-level controls are insufficient. Solutions like iVerify, Lookout, or Zimperium that perform on-device attestation are now baseline requirements for any organization handling sensitive data. The assumption that iOS devices are inherently secure enough to access corporate resources without additional monitoring is no longer defensible.
For app developers: If your application uses WKWebView to render external content, you are part of the attack surface. DarkSword exploits JavaScriptCore, which powers every WebKit instance on iOS. Consider implementing Content Security Policy headers aggressively, disabling JavaScript in web views that do not require it, and treating any WebKit rendering of untrusted content as a potential exploitation vector.
For Apple: The company faces a strategic decision. Lockdown Mode works, but its opt-in nature limits its impact. Apple could selectively enable specific Lockdown Mode protections, such as disabling JIT compilation in WebKit for web content loaded from unfamiliar domains, for all users without requiring the full Lockdown Mode tradeoff. The DarkSword chain specifically depends on JIT-compiled JavaScript. Disabling JIT for untrusted web content would break the chain's first stage with minimal user-facing impact.
For policymakers: The U.S. government's posture on commercial spyware is incoherent. CISA warns agencies to patch against exploits developed by commercial vendors. Simultaneously, a U.S. investor group has acquired NSO Group with apparent intent to sell Pegasus to American law enforcement. The same class of tools is treated as a threat when wielded by foreign actors and a legitimate capability when operated domestically. This contradiction will become increasingly untenable as exploit proliferation makes the distinction between "targeted" and "mass" surveillance meaningless.
Where This Goes Next
Three predictions follow from the current trajectory.
First, Apple will be forced to ship a significant architectural change to WebKit's security model within the next 12 months. The company cannot sustain a posture where its browser engine is the primary entry point for two separate full-chain exploit kits. Expect either mandatory sandboxing changes that break backward compatibility with some web content, or a move toward disabling JIT compilation by default in contexts where the user has not explicitly navigated to a website.
Second, the secondary exploit market will produce a major incident in 2026 or early 2027 where a formerly targeted exploit kit is used in a mass attack affecting ordinary consumers, not just journalists and dissidents. Coruna's trajectory from surveillance tool to financial crime weapon is the template. The next iteration will likely involve ransomware or credential theft at consumer scale. When that happens, the political dynamics around commercial spyware regulation will change overnight.
Third, Google's Threat Intelligence Group will become the de facto regulator of the iOS exploit market. This sounds paradoxical, but Google is now the primary entity tracking, attributing, and publishing detailed analyses of iOS exploit chains. Apple's own security advisories are deliberately vague. Google's reports name threat actors, map proliferation patterns, and provide the technical detail that defenders need. In the absence of meaningful government oversight of the commercial spyware industry, Google's transparency reports are functioning as the closest thing to accountability that exists. The competitive dynamics are unmistakable: Google has a strategic interest in demonstrating that iOS is not as secure as Apple claims, and Apple has no equivalent capability to scrutinize Android exploits at the same depth. This asymmetry will shape public perception of mobile security for years to come.
The three CVEs that CISA flagged are not just vulnerabilities. They are artifacts of an industrial ecosystem that has matured faster than anyone anticipated. The question is no longer whether iOS can be exploited. It is who gets access to the tools, how quickly those tools spread, and whether the defenses can evolve faster than the market that profits from breaking them.