Apple has issued emergency security updates for older iPhones and iPads that cannot run the latest iOS 26, backporting critical fixes that protect against the Coruna exploit kit — one of the most sophisticated iOS attack frameworks ever publicly documented. Released on March 11, 2026, iOS 15.8.7 and iOS 16.7.15 bring patches that were originally shipped in the iOS 17 branch back in 2023 and early 2024 to devices that missed them entirely because they could not upgrade. The Coruna exploit kit contains 23 exploits across five complete attack chains and was actively used by state-linked espionage groups and financially motivated criminals to compromise iPhones running iOS 13 through 17.2.1. If you or anyone you know has an older iPhone — an iPhone 6s, 7, 8, SE, or X — this update is not optional.
Affected products
- ·iPhone 6s (all models), iPhone 7 (all models), iPhone SE 1st generation — update to iOS 15.8.7
- ·iPad Air 2, iPad mini 4th generation, iPod touch 7th generation — update to iOS/iPadOS 15.8.7
- ·iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation — update to iOS/iPadOS 16.7.15
- ·All devices running iOS 13.0 through 17.2.1 were potentially vulnerable to the Coruna exploit kit before this patch
How to Fix
Step-by-step remediation
The fix is straightforward — update your device. On an older iPhone or iPad, go to Settings → General → Software Update. If your device is an iPhone 6s, iPhone 7, or iPhone SE first generation, you are looking for iOS 15.8.7. If your device is an iPhone 8, iPhone 8 Plus, or iPhone X, you are looking for iOS 16.7.15. Both updates were released on March 11, 2026 and are available now. If the update does not appear, make sure your device has enough storage space free and is connected to Wi-Fi. If you have a newer device on iOS 26, ensure you are on iOS 26.3 or later. For organizations managing a fleet of older devices, treat this as a critical priority patch — the CISA KEV deadline of March 26, 2026 applies to federal agencies, but the risk applies to everyone. If you have employees or family members using older iPhones who may not know an update is available, help them get it installed.
What happened
Coruna is not a typical piece of mobile malware. It is a professional-grade exploit framework originally developed by or for a commercial surveillance vendor, the kind of organization that sells spyware tools to government clients. Researchers first observed it in February 2025 being used by a customer of an unnamed surveillance company. By July 2025 it was being used in watering hole attacks against Ukrainian websites by a suspected Russian espionage group. By December 2025 it had spread further — fake Chinese financial and cryptocurrency websites were delivering it to iPhone users who visited them on their devices. The kit works by fingerprinting a visitor's device — silently checking the iPhone model, iOS version, and security settings from a malicious webpage — and then delivering the precise exploit chain that matches that specific device. It contains 23 individual exploits organized into five complete chains, allowing it to target virtually any iPhone running iOS 13.0 through 17.2.1. The vulnerabilities it exploits include WebKit memory corruption flaws, a kernel use-after-free bug, and two exploits originally weaponized as zero-days in Operation Triangulation — the 2023 campaign that targeted iPhones belonging to Russian users and was later attributed by Russia to US intelligence services.
Real-World Impact
What makes this situation particularly serious is the trajectory of the Coruna exploit kit. It began as an expensive, targeted surveillance tool used against specific high-value individuals. It then moved into the hands of state-linked espionage groups conducting broader campaigns. By December 2025 it was being used by financially motivated criminals targeting ordinary users through fake gambling and cryptocurrency websites. This is a documented pattern with sophisticated exploit frameworks — they start targeted, they get shared or leaked, and eventually they get used in mass attacks. The fact that Apple is now backporting fixes to iOS 15 and iOS 16 devices is an acknowledgment that real users on older hardware are being actively targeted. CISA added three of the CVEs exploited by Coruna to its Known Exploited Vulnerabilities catalog on March 5, 2026, with a mandatory patch deadline of March 26, 2026 for US federal agency devices — a strong signal that this threat is real and ongoing.
Technical Details
🛡️ Prevention Tips
The deeper lesson from Coruna is that not updating your iPhone is not a neutral choice — it is an active risk. Every month that passes on an unpatched device is another month that attackers have a known, working exploit chain available to use against you. The Coruna kit was exploiting vulnerabilities that Apple had already patched in iOS 17 back in 2023. The users who were compromised were running older iOS versions that never received those fixes. Avoid visiting unfamiliar financial websites, cryptocurrency platforms, or gambling sites from your iPhone browser — these are documented delivery vectors for the Coruna kit. Be cautious of any website that prompts you to visit it specifically from your mobile device for a better experience — this is a known social engineering technique used to target mobile users with device-specific exploits.
FAQs
How do I know if my iPhone is affected?
If you have an iPhone 6s, iPhone 7, iPhone SE 1st generation, iPhone 8, iPhone 8 Plus, or iPhone X — and you have not yet installed iOS 15.8.7 or iOS 16.7.15 — your device is unpatched against the Coruna exploit kit. Go to Settings → General → Software Update right now.
Was my iPhone actually hacked by Coruna?
Coruna has primarily been used in targeted attacks against specific individuals and in watering hole campaigns targeting Ukrainian government-linked sites and fake Chinese financial websites. The average user is unlikely to have been targeted, but the risk increases as the kit spreads to financially motivated criminals. The fact that Apple released these patches means the threat is real enough to warrant urgent action.
My iPhone is too old to receive even iOS 15 or 16 updates. What should I do?
If your device cannot receive any further security updates it is permanently exposed to known vulnerabilities. The most important thing you can do is avoid using that device for anything sensitive — banking apps, cryptocurrency, email, or any service that contains personal or financial data. Seriously consider replacing it with a device that still receives security updates.
Read Next
android · malware
Six New Android Malware Families Discovered Targeting Banking Apps, Pix Payments, and Crypto Wallets in Real Time
cohere ai · terrarium
CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming
microsoft · patch tuesday
Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes
openai · supply chain attack
OpenAI Revokes macOS App Certificate After North Korea's Axios Supply Chain Attack — Update ChatGPT Before May 8
weekly roundup · cybersecurity
This Week in Cybersecurity — April 11, 2026: npm Backdoors, Adobe Zero-Day, Docker Escape & More
Last updated: March 12, 2026