Lead Story | Critical | Enterprise · IT Ops |
|
The DarkSword iOS Exploit Chain Is a Six-Vulnerability Surveillance Tool Used by Nation-States. The Patch Deadline Is Tomorrow.
Since at least November 2025, commercial surveillance vendors and a suspected Russian espionage group have been delivering full iPhone compromise through a single website visit. No interaction beyond the page load is required. CISA added three of DarkSword’s six CVEs to its Known Exploited Vulnerabilities catalog and set a federal patching deadline of April 3 — tomorrow. If the iPhones and Macs in your organization are not on the latest iOS and macOS releases, this issue is for you.
DarkSword is a full-chain iOS exploit framework that strings six vulnerabilities together into a single, browser-delivered attack requiring no user interaction beyond visiting a compromised website. The initial foothold is CVE-2025-31277, a JIT type-confusion vulnerability in WebKit’s JavaScriptCore engine triggered by processing malicious web content. From there, the chain uses CVE-2025-43510 — a copy-on-write race condition in XNU that weaponizes a system service called mediaplaybackd, which runs with broader system permissions than the browser sandbox — to escape WebKit’s confinement. The final stage, CVE-2025-43520, exploits a race condition in XNU’s virtual filesystem implementation to achieve kernel memory read-write access. The outcome is complete device compromise: all data, all stored credentials, all active sessions, all communications.
Google’s Threat Intelligence Group, Lookout, and iVerify documented DarkSword in research published in March 2026, linking the chain to at least two distinct threat clusters. UNC6748 is assessed as a customer of PARS Defense, a Turkish commercial surveillance vendor, and has deployed DarkSword in campaigns targeting Saudi Arabia and Malaysia. UNC6353, assessed by Google as a suspected Russian espionage actor, used the chain against targets in Ukraine and Turkey. Delivery in observed cases was through watering-hole attacks: legitimate websites silently compromised and repurposed to serve the exploit. Targets receive no warning and take no visible action. The campaigns have been active since at least November 2025.
Apple patched the three CISA-flagged CVEs across iOS 18.6 (CVE-2025-31277) and iOS 18.7.2 / iOS 26.1 (CVE-2025-43510 and CVE-2025-43520). Any device that hasn’t moved past iOS 18.7 is still in the window the chain was designed to hit. CISA set the federal remediation deadline at April 3 under Binding Operational Directive 22-01 — tomorrow. The same patches apply across iPadOS, macOS, watchOS, visionOS, and tvOS. For enterprise teams managing device fleets through MDM, confirm today that all enrolled devices are running iOS 18.7.2 or iOS 26.1 at minimum. BYOD devices represent the harder gap: users who delay automatic updates or connect infrequently to MDM may still be running a vulnerable iOS version months after patches were available.
→ Key Takeaway Update every Apple device in your organization today. At minimum: iOS and iPadOS 18.7.2 or iOS/iPadOS 26.1. Apply the latest available macOS, watchOS, visionOS, and tvOS updates — DarkSword CVEs were patched across all Apple platforms simultaneously. If you manage devices through MDM, push the update now and validate compliance before end of day — tomorrow is the CISA deadline. Flag BYOD devices that cannot be verified as patched. A watering-hole attack requires nothing from the user beyond a browser and an unpatched device. |
Quick Hits
| 01 |
UNC6426 Went from a Stolen npm Token to Full AWS Administrator Access in 72 Hours
Mandiant documented an incident in which the threat group UNC6426 exploited the supply chain compromise of the nx npm package to obtain a developer’s GitHub personal access token. From there, the attackers used Nord Stream — a legitimate open-source CI/CD secret extraction tool — to harvest credentials from the victim’s GitHub Actions pipelines, including the service account token for a GitHub-Actions-CloudFormation role. That role was overly permissive. Using the role’s AWS STS token generation capability, UNC6426 deployed a new CloudFormation stack with full IAM capabilities, created a new role, and attached the AdministratorAccess policy to it. From that position, they enumerated and exfiltrated S3 bucket contents, terminated production EC2 and RDS instances, decrypted application keys, and renamed every internal GitHub repository to a randomized public name — all within 72 hours of the initial token theft. The attack did not require a single CVE. Every step used legitimate tooling against misconfigured permissions. The Hacker News →
| Critical | Cloud+DevOps · Dev |
|
| 02 |
Craft CMS and Laravel Livewire Both Have CISA-Confirmed RCE Flaws — Deadline Also Tomorrow
In the same CISA bulletin that flagged the DarkSword Apple CVEs, two widely-used web development frameworks landed in the Known Exploited Vulnerabilities catalog with the same April 3 remediation deadline. CVE-2025-32432 (CVSS 10.0) is a code injection vulnerability in Craft CMS exploitable via deserialization of untrusted data; it has been assessed as a zero-day actively exploited since February 2025, and the threat group Mimo (also tracked as Hezb) has used it to deploy a cryptocurrency miner and residential proxyware on compromised hosts. CVE-2025-54068 (CVSS 9.8) is a code injection flaw in Laravel Livewire that can allow unauthenticated attackers to achieve remote command execution in specific deployment configurations. Both were patched in 2025 — Craft CMS in April, Laravel Livewire in July. If you have either framework in production and have not applied those updates, exploitation is confirmed active. The Hacker News →
| Critical | Dev · Cloud+DevOps |
|
CVE Watch
|
Patch of the Day
strongSwan IKEv2 VPN — 15-Year-Old Integer Underflow Crashes the VPN Daemon, Bishop Fox Published the PoC
CVE-2026-25075 is an integer underflow in strongSwan’s EAP-TTLS plugin affecting versions 4.5.0 through 6.0.4 — a code path that has existed for approximately 15 years. During IKEv2 authentication, the plugin subtracts a fixed value from an attacker-supplied AVP length field without first validating that the field is large enough to avoid wrapping. A crafted IKEv2 packet with a malformed AVP length triggers a massive heap allocation that corrupts memory and crashes the charon IKE daemon — taking down VPN connectivity for all connected users. Bishop Fox published a detailed technical write-up and a non-destructive detection tool on GitHub. No confirmed active exploitation has been reported, but with a public PoC now available, the window before weaponization is short. Upgrade to strongSwan 6.0.5 or disable the EAP-TTLS plugin if it is not required for your VPN authentication flow.
| Vendor: strongSwan Project · Affected: 4.5.0 – 6.0.4 · Patched: 6.0.5 · Exploited: PoC published (Bishop Fox); no confirmed in-the-wild |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — GV.RM — Govern: Risk Management Strategy
DarkSword Is the Question Your Risk Appetite Statement Needs to Answer
GV.RM-02 requires organizations to establish, communicate, and maintain risk appetite and risk tolerance statements. DarkSword makes that requirement concrete: does your organization’s current risk appetite account for a scenario in which a nation-state surveillance chain targets the iPhones used by your executives, legal counsel, or IT administrators for work email, credentials, and VPN access? If the answer is “our risk appetite document doesn’t specifically address mobile device compromise by commercial spyware,” that is a gap worth closing today. Risk appetite is only useful if it is specific enough to drive a policy decision. Action: Add a mobile device security clause to your risk tolerance framework. Define a maximum acceptable patch lag for critical iOS and Android security updates on devices used for work — 72 hours after release is a defensible threshold. Tie it to an MDM enforcement policy with verification, not an honour system.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: Google Threat Intelligence Group (DarkSword iOS, March 2026), cloud.google.com/blog · Lookout Threat Intelligence (DarkSword), lookout.com · iVerify (DarkSword exploit kit), iverify.io · BleepingComputer (CISA DarkSword KEV, March 28, 2026) · The Hacker News (DarkSword six-flaw chain) · CISA KEV catalog, cisa.gov/kev · The Hacker News (UNC6426 nx supply chain, March 2026) · Mandiant / Google Cloud (UNC6426 attribution) · Cloud Security Alliance (UNC6426 OIDC trust chain) · The Hacker News (Craft CMS CVE-2025-32432, Laravel CVE-2025-54068, March 2026) · strongSwan Project advisory (CVE-2026-25075), strongswan.org · Bishop Fox (CVE-2026-25075 analysis), bishopfox.com · NIST CSF 2.0, nist.gov/cyberframework |
|
