DarkSword Exploit: Critical iPhone Vulnerabilities Impact Older iOS 18 Devices

DarkSword Exploit: Critical iPhone Vulnerabilities Impact Older iOS 18 Devices | Quick Digest
Security researchers have uncovered 'DarkSword,' a sophisticated exploit chain targeting older iOS 18 versions (18.4-18.7) on millions of iPhones. This zero-click threat, used by state-sponsored actors and commercial spyware vendors globally, can steal sensitive data, emphasizing the urgent need for users to update their devices to the latest iOS 26.3.1 or iOS 18.7.6.

Key Highlights

  • DarkSword exploit chain targets older iOS 18.x versions.
  • Utilizes six zero-day vulnerabilities for full device compromise.
  • Allows theft of passwords, crypto data, messages, and location.
  • Actively used by state-sponsored actors and commercial spyware.
  • Millions of iPhones on older iOS 18 versions remain vulnerable.
  • Immediate iOS update to 26.3.1 or 18.7.6 is crucial.
A sophisticated and dangerous vulnerability chain, dubbed 'DarkSword,' has been uncovered by a collaborative effort of security researchers from Lookout, Google's Threat Intelligence Group (GTIG), and iVerify. This exploit specifically targets older versions of Apple's iOS 18 operating system, ranging from iOS 18.4 through iOS 18.7, exposing millions of iPhone users worldwide to potential compromise and extensive data theft. The Hindu, in an article published on March 19, 2026, highlighted this critical new attack pathway, underscoring the severity of the threat. DarkSword is a full-chain exploit, meaning it leverages a sequence of multiple vulnerabilities to bypass Apple's robust security layers and gain complete control over an affected device. Researchers have identified six specific zero-day vulnerabilities (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520) that DarkSword exploits. The attack typically manifests as a 'zero-click' or 'one-click' exploit, often delivered through malicious websites in what is known as 'watering hole' attacks. This means a user could unknowingly trigger the exploit simply by visiting a compromised webpage, without needing to download anything or click on a suspicious link. The implications of a successful DarkSword attack are severe. Once an iPhone is compromised, the attackers gain unfettered access to sensitive user data. This includes, but is not limited to, saved passwords, cryptocurrency wallet information, personal messages, location history, and data from signed-in accounts. The exploit has been actively used since at least November 2025 by various malicious actors, including multiple commercial surveillance vendors and suspected state-sponsored groups. Google's GTIG noted the proliferation of this single exploit chain across disparate threat actors, highlighting a concerning trend in the cybersecurity landscape. Notably, a suspected Russian espionage group, identified as UNC6353, previously known for using a similar exploit kit named 'Coruna,' has also incorporated DarkSword into its campaigns, particularly targeting Ukrainian users. While the threat is global, with observed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine, its potential reach extends to any iPhone user running the vulnerable iOS versions. According to iVerify and Lookout, an estimated 220 million to 270 million iPhones still run exposed iOS 18 versions, making a significant portion of the global iPhone user base potentially susceptible if they have not updated their devices. Lookout further estimates that roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable. Fortunately, Apple has addressed the vulnerabilities leveraged by DarkSword. Google reported these flaws to Apple in late 2025, and all six vulnerabilities were patched with the release of iOS 26.3, with most being patched in earlier updates. For users still on the iOS 18 branch, an update to iOS 18.7.6 is crucial for protection. The latest general iOS version, iOS 26.3.1, was released earlier in March 2026 and provides comprehensive protection against these threats. Apple has also taken steps to provide emergency software updates for older devices that might not be capable of running the latest iOS 26 versions, ensuring broader protection for its user base. Beyond updating, security researchers recommend enabling 'Lockdown Mode' on iPhones. This hardened security feature, designed to significantly reduce the attack surface by limiting certain functionalities often exploited by attackers, can provide an additional layer of defense for users, especially those unable to update immediately. This incident also highlights Apple's evolving approach to security updates. The company has introduced 'Background Security Improvements' (BSI) with iOS 26.1, iPadOS 26.1, and macOS 26.1. These lightweight security releases, delivered between major software updates, target components like Safari and the WebKit framework, allowing for quicker patching of critical vulnerabilities. The first BSI update (iOS 26.3.1) specifically addressed a WebKit vulnerability (CVE-2026-20643) found by security researcher Thomas Espach. This proactive measure aims to enhance the security posture of Apple devices against rapidly evolving threats. For an audience in India, where iPhone adoption is significant, this news is highly relevant. The potential for state-sponsored surveillance and financial data theft underscores the importance of maintaining up-to-date software. Timely updates are the most effective defense against such sophisticated exploit chains, and users are strongly advised to check their iOS versions and update their devices without delay.

Frequently Asked Questions

What is the 'DarkSword' exploit chain?

DarkSword is a sophisticated exploit chain discovered by security researchers that leverages multiple vulnerabilities to gain full control over iPhones running specific older versions of iOS 18 (18.4 through 18.7). It can steal sensitive information like passwords, crypto data, and messages.

Which iPhone models and iOS versions are vulnerable to DarkSword?

iPhones running older iOS versions from 18.4 to 18.7 are susceptible to DarkSword. While Apple has since transitioned to iOS 26, millions of devices on these unpatched older iOS 18 versions remain vulnerable. Users should update to iOS 26.3.1 or, for older devices, iOS 18.7.6.

How do attackers use DarkSword, and what kind of data can they steal?

Attackers typically deploy DarkSword via 'watering hole' attacks, where users visit compromised websites that trigger the exploit, often without any interaction (zero-click). If successful, it allows them to steal passwords, cryptocurrency wallet data, messages, location history, and data from signed-in accounts.

Who is behind the DarkSword attacks?

Multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword since November 2025. A suspected Russian espionage group (UNC6353) is among those utilizing this exploit chain.

What should iPhone users do to protect themselves?

Users should immediately update their iPhones to the latest available iOS version, specifically iOS 26.3.1. If their device cannot update to iOS 26, they should ensure they are running iOS 18.7.6. Additionally, enabling 'Lockdown Mode' in their iPhone's security settings is recommended as an extra protective measure.

Read Full Story on Quick Digest