Coruna can be notable for its use by three distinct hacking teams. Google first detected its use in February of final yr in an operation performed by a “buyer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in assaults planted on web sites that had been frequented by Ukrainian targets. Final December, when it was utilized by a “financially motivated menace actor from China,” Google was in a position to retrieve the entire exploit package.
“How this proliferation occurred is unclear, however suggests an lively marketplace for ‘second hand’ zero-day exploits,” Google wrote. “Past these recognized exploits, a number of menace actors have now acquired superior exploitation strategies that may be re-used and modified with newly recognized vulnerabilities.”
Google researchers went on to put in writing:
We retrieved all of the obfuscated exploits, together with ending payloads. Upon additional evaluation, we observed an occasion the place the actor deployed the debug model of the exploit package, leaving within the clear the entire exploits, together with their inner code names. That’s once we discovered that the exploit package was possible named Coruna internally. In whole, we collected a couple of hundred samples protecting a complete of 5 full iOS exploit chains. The exploit package is ready to goal numerous iPhone fashions operating iOS model 13.0 (launched in September 2019) as much as model 17.2.1 (launched in December 2023).
The 23 exploits, together with the code names and different data, are:
| Sort | Codename | Focused variations (inclusive) | Fastened variations | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is including solely three of the CVEs to its catalog. They’re:
- CVE-2021-30952 Apple A number of Merchandise Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000 Apple A number of merchandise Use-After-Free Vulnerability
CISA is directing businesses to “apply mitigations per vendor directions, observe relevant… steerage for cloud companies, or discontinue use of the product if mitigations are unavailable.” The company went on to warn: “A lot of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise.”
