WebKit and Kernel Vulnerabilities and DarkSword Exploit

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Enforce Patches: Immediately set your mobile security policy to enforce minimum patched versions of iOS/iPadOS 18.7.3 or iOS 26.2 (and ideally iOS 18.7.6 or iOS 26.3.1 for complete chain protection) across your fleet. (Note: DarkSword targets 18.4 – 18.7)
Set Policy: Set the default OS Out of Date policy in your management console to require the fixed versions released by Apple to address this flaw.
Limit Access: Choose to immediately warn or block non-compliant devices from accessing work applications and data until the OS is updated. If your risk policies allow for a grace period, it should be very short and escalate in severity and limitation to the user.

‍

Integrate Data: Security teams should leverage mobile EDR to integrate mobile device and app vulnerability data into their SIEM, SOAR, or XDR solution to monitor for potential exploitation attempts by sophisticated threat actors.

Overview

CISA has added both CVE-2025-43510 and CVE-2025-43520 to its Known Exploited Vulnerabilities (KEV) Catalog following reports of active exploitation in the wild. Both are high-severity vulnerabilities affecting the iOS kernel and multiple other Apple operating systems. These vulnerabilities are critical because they allow threat actors to escalate privileges from a sandboxed environment to full system control.

CVE-2025-43510 (CVSS 7.8) is an improper locking vulnerability where a malicious application can cause unexpected changes in memory shared between processes due to flawed lock state checking.
CVE-2025-43520 (CVSS 8.8) is a classic buffer overflow vulnerability in the kernel. It occurs due to improper memory handling, allowing a malicious application to cause system termination or write directly to kernel memory.

As of March 2026, these vulnerabilities have been reported as final-stage components in sophisticated exploit chains associated with the “DarkSword” exploit kit. Public reporting indicates that these chains have been used in highly targeted attacks against specific individuals. In observed cases, delivery methods included watering hole attacks, where legitimate websites were compromised to host malicious content that triggered the exploit chain.

Apple and security researchers are aware that these issues were exploited in highly sophisticated attacks against targeted individuals on versions of iOS prior to iOS 18.7.2 and iOS 26.1. Apple has addressed these flaws by improving memory handling and lock state checking in updated operating system releases. Patches were announced and released for iOS 18.7.2, iPadOS 18.7.2, iOS 26.1, macOS Tahoe 26.1, macOS Sequoia 15.7.2, watchOS 26.1, tvOS 26.1, and visionOS 26.1.

CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) Catalog. Federal Civilian Executive Branch (FCEB) agencies are required to remediate CVE-2025-43510 and CVE-2025-43520 by April 3, 2026. While CISA’s requirement is only for the U.S. government, enterprise organizations should use their guidance as a benchmark and devise an update plan of their own with a deadline for employees to update to the latest versions of Apple’s operating systems.

Lookout Analysis

These two CVEs function as the Privilege Escalation and Kernel Compromise stages of the DarkSword exploit chain:

Initial Access: The attack chain typically begins when a victim visits a compromised or malicious website, triggering earlier-stage vulnerabilities (such as CVE-2025-31277) to achieve initial code execution within the browser.
Exploitation: Following initial compromise, the attacker escapes the browser sandbox and leverages CVE-2025-43510 to gain arbitrary memory read/write capabilities within a privileged system process.
Chaining: These capabilities are then used to exploit CVE-2025-43520, enabling kernel-level privilege escalation and allowing the attacker to deploy a persistent spyware payload capable of full device compromise.