🛡️ SecOps

DarkSword Apple Exploit Chain Adds Three CVEs to CISA KEV — Federal Deadline April 3

CISA has added three vulnerabilities from the DarkSword iOS/macOS exploit chain to its Known Exploited Vulnerabilities catalogue, mandating federal agencies patch all Apple devices by 3 April. DarkSword is a multi-stage attack framework linking six chained vulnerabilities to achieve full kernel compromise across iOS, iPadOS, macOS, watchOS, and tvOS — with no user interaction required beyond visiting a malicious webpage.

3 min read
#apple#ios#macos#zero-day#darksword#cisa-kev#webkit#kernel#cve-2025-31277#cve-2025-43510#cve-2025-43520#supply-chain

The DarkSword Exploit Chain

DarkSword is a sophisticated, multi-stage iOS exploit framework that chains six Apple vulnerabilities to achieve full kernel-level compromise of any targeted device — including iPhones, iPads, Macs, Apple Watches, and Apple TVs — with no interaction required from the victim beyond loading a malicious webpage.

On 20 March 2026, CISA added three of the six chain components to its Known Exploited Vulnerabilities catalogue, confirming that active exploitation of this framework is underway. US Federal Civilian Executive Branch agencies have until 3 April 2026 to apply all applicable Apple security updates.

The three CISA-confirmed exploited components:

  • CVE-2025-31277 — A buffer overflow in WebKit, Apple’s browser engine used by Safari, Mail, and all iOS applications. This is the entry point: a malicious webpage triggers the overflow, giving the attacker initial code execution in the browser process
  • CVE-2025-43510 — An improper locking vulnerability that allows the attacker to bypass Apple’s internal security boundaries (e.g., sandbox escapes), converting browser-process execution into broader OS access
  • CVE-2025-43520 — A classic buffer overflow affecting the operating system core, culminating in the ability to write directly to kernel memory and achieve complete control over the device

Attack Mechanics

Google Threat Intelligence Group researchers documented DarkSword as a delivery framework operationalised across multiple threat clusters — both financially motivated cybercrime actors and suspected state-sponsored espionage groups. The complete chain exploits all six vulnerabilities in sequence:

  1. Victim loads a malicious webpage (via phishing link, malvertising, or compromised website)
  2. CVE-2025-31277 triggers in WebKit, giving initial code execution
  3. Chain progresses through sandbox escapes and privilege escalation steps
  4. CVE-2025-43510 breaks the security boundary between browser and OS
  5. CVE-2025-43520 achieves kernel memory write access
  6. Full device compromise — attacker has root-equivalent access, can read all data, install persistent implants, access encrypted data

The absence of user interaction beyond the initial webpage load makes this a zero-click-effective attack in many contexts. Spear-phishing with a link is sufficient.

Enterprise Impact

For organisations that manage corporate iOS and macOS devices, this exploit chain represents a fully automated compromise path. A single malicious link sent to an executive’s iPhone can result in:

  • Exfiltration of emails, calendar data, contacts, and files stored on or synced to the device
  • Access to corporate credentials cached on the device (VPN certificates, SSO tokens, enterprise app passwords stored in the keychain)
  • Installation of persistent spyware surviving reboots
  • Lateral movement if the device has corporate Wi-Fi or VPN access that bypasses normal perimeter controls

Organisations deploying iOS or macOS devices in privileged roles — executives, finance, legal, security teams — are the primary high-value targets.

  1. Apply Apple security updates across all devices immediately: ensure iOS, iPadOS, macOS, watchOS, and tvOS devices are updated to the latest available version addressing the DarkSword chain components
  2. Enforce MDM update compliance: use your Mobile Device Management platform (Intune, Jamf, Kandji) to flag devices not running the patched OS version and enforce mandatory updates
  3. Enable Lockdown Mode for high-risk users: Apple’s Lockdown Mode substantially reduces WebKit and other attack surfaces. Deploying it for executives, legal, and security staff provides meaningful DarkSword risk reduction
  4. Review device audit logs for indicators of compromise on any device that was significantly out of date: unexpected app installations, certificate trust store changes, or anomalous network connections from Apple devices
  5. Brief security and IT teams on the scope of the DarkSword chain — this is not a standard “patch your phone” vulnerability; it is a sophisticated nation-state-grade framework that has been operationalised by multiple threat actor groups