Darksword/Coruna/WebKit/Predator/Safari exploit cluster & spyware (A12 cutoff, CISA KEV/BOD, post-patch persistence iOS 18.7.7/26.5 Beta/iOS 18 backports expanding incl. rare DarkSword patches for Liquid Glass holdouts refusing iOS 26, Dopamine/jailbreaks iOS 26.0.1, CoreAudio/PAC bypass/Terminal legacy exploits, Settings warnings/USB risk)
Key Questions
What is the iOS 18.7.7 update addressing?
The iOS 18.7.7 update backports critical DarkSword zero-day patches, fixing 13 vulnerabilities including 6 flaws and 3 zero-days with CVSS scores of 8.8+, primarily affecting A12 devices on iOS 15-18.7. It targets users refusing iOS 26 upgrades due to issues like Liquid Glass concerns.
Why is Apple issuing rare patches for older iOS versions like 18.7.7?
Apple is protecting holdouts on iOS 18.4-18.7 and iOS 13-17.2.1 from active exploits like DarkSword spyware delivered via malicious links, amid CISA KEV/BOD listings and reports from MIIT, BSI, and GitHub leaks.
What devices are impacted by the DarkSword exploit cluster?
A12 and older iPhones/iPads on iOS 15-18.7 or 13-17.2.1 are affected, with around 270 million unpatched devices vulnerable to WebKit, Safari, Terminal, and PAC bypass flaws.
What are the risks associated with these exploits?
Exploits enable zero-click spyware installation via Safari/phishing, USB attacks on iOS 26, iTunes XSS, FingerprintJS issues, and post-patch persistence, with warnings in Settings and confirmed TA446 phishing campaigns.
Is there a connection to jailbreaks and iOS 26?
Dopamine and other jailbreaks target iOS 26.0.1, while legacy Terminal/CoreAudio/PAC bypass exploits persist; iOS 26.5 Beta includes expanding backports, but holdouts face rare DarkSword patches.
What warnings has Apple issued to users?
Apple has sent Settings alerts about potential spyware risks, urging updates amid USB vulnerabilities and malicious link campaigns reconfirmed by CISA, Google, CERT-In, and MIIT.
How severe are the vulnerabilities mentioned?
The cluster includes CVSS 8.8+ zero-days like CVE-2026-20643 (WebKit/PAC bypass), CVE-2026-28894 (Coruna/DoS), affecting Safari and Terminal, listed in CISA KEV with active exploitation.
Should users on older iOS versions update immediately?
Yes, iOS 18.7.7 provides urgent fixes for 270M devices; auto-updates apply to iOS 18.4-18.7, but manual installation is advised for iOS 13-17.2.1 amid rising hesitancy and beta warnings.
Apple backported DarkSword zero-day patches (13 vulns/6 flaws/3 zero-days CVSS 8.8+, 270M unpatched A12/iOS 15-18.7/13-17.2.1) to iOS/iPadOS 18.7.7 for holdouts refusing iOS 26 over Liquid Glass hate, urgent toolkit fixes via malicious links reconfirmed amid GitHub leak/TA446 phishing (Apr 2026 XR-16/iPads/11-16 holdouts/18.4-18.7 auto-updates/BSI); MIIT urgent Safari/Terminal/Axios npm; PAC bypass/WebKit CVE-2026-20643/Coruna/DoS CVE-2026-28894/iOS26 USB; zero-click Safari/phishing/FingerprintJS/iTunes XSS/jailbreak/Settings alerts; CISA/Google/CERT-In/MIIT; hesitancy rising amid betas/warnings/leaks.