CISA adds three Apple flaws tied to DarkSword attacks, orders federal fixes by April 3
5 min. read 
Published on
CISA has added three Apple vulnerabilities to its Known Exploited Vulnerabilities catalog after evidence showed attackers were using them in real-world attacks. The newly listed bugs are CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520, and CISA’s catalog lists a remediation due date of April 3, 2026, for federal civilian agencies.
The warning matters because these bugs are linked to DarkSword, a sophisticated iOS exploit chain that Google Threat Intelligence Group says multiple threat actors have used since at least November 2025. Google says the campaign targeted users in Saudi Arabia, Turkey, Malaysia, and Ukraine, and delivered malware families it tracks as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
There is one important correction to the sample article. Google does not describe DarkSword as a three-bug chain built only from the CVEs CISA just added. Google says DarkSword uses six vulnerabilities in total, and only one of the three newly highlighted CISA CVEs, CVE-2025-31277, appears in Google’s published table of DarkSword stages. The other two, CVE-2025-43510 and CVE-2025-43520, were still added by CISA to KEV and are tied by public reporting and CISA references to the same broader threat activity.
What CISA added to KEV
CISA’s March 20 alert says it added five vulnerabilities to the KEV catalog, including three Apple flaws. The KEV catalog entry for CVE-2025-31277 shows an April 3, 2026 due date for federal agencies. NVD’s record for CVE-2025-43510 also reflects CISA’s KEV linkage, confirming the catalog action for that Apple flaw as well.
| CVE | What Apple says | Status |
|---|---|---|
| CVE-2025-31277 | Processing maliciously crafted web content may lead to memory corruption in WebKit or JavaScriptCore-related components | Added to CISA KEV as exploited |
| CVE-2025-43510 | A malicious app may cause unexpected changes in memory shared between processes | Added to CISA KEV as exploited |
| CVE-2025-43520 | A malicious app may cause unexpected system termination or write kernel memory | Added to CISA KEV as exploited |
What Google says about DarkSword
Google’s March 18 report describes DarkSword as a full-chain iOS exploit that supports iOS 18.4 through 18.7 and uses six different vulnerabilities to fully compromise devices. Google says it reported the vulnerabilities used in DarkSword to Apple in late 2025 and says all of them were patched by iOS 26.3, with most fixed earlier.
Google’s published DarkSword table specifically lists CVE-2025-31277 as a memory corruption vulnerability in JavaScriptCore, alongside CVE-2025-43529 and CVE-2026-20700 in the remote code execution stages. The report does not publicly map CVE-2025-43510 or CVE-2025-43520 into that same table, which is why it is safer to say CISA added three Apple flaws linked to DarkSword activity, not that Google confirmed those three alone make up the full chain.
Apple’s patches are already out
Apple’s security notes show that CVE-2025-43510 and CVE-2025-43520 were fixed in iOS 18.7.2 and iPadOS 18.7.2, as well as macOS Sequoia 15.7.2, watchOS 26.1, and other Apple platforms. Apple’s advisory for macOS Sequoia 15.7.2 says CVE-2025-43510 involved improved lock-state checking, while CVE-2025-43520 involved improved memory handling.
For CVE-2025-31277, Apple’s Safari 18.6 advisory says processing maliciously crafted web content could lead to memory corruption. Apple also lists that CVE in other platform advisories, which shows the bug affected more than one product family.
Why defenders should care
This is not just another routine patch notice. DarkSword is the kind of exploit kit security teams worry about because it has already been reused by more than one threat actor. Google says suspected state-backed operators and commercial surveillance vendors both used it in separate campaigns. That makes the KEV addition more than a paperwork exercise. It signals confirmed exploitation and a real need to patch quickly.
CISA’s KEV program exists for exactly this reason. Once a flaw lands in the catalog, federal agencies must treat it as an active risk. Private-sector defenders should read that as a strong warning too, especially when the affected products sit on phones, tablets, watches, and desktops used for both personal and work data.
What admins and users should do now
- Update Apple devices to the latest available security release
- Prioritize iPhones and iPads that may still run older 18.x builds
- Patch Macs, Apple Watches, and other Apple devices in the same fleet
- Enable Lockdown Mode where higher-risk users need extra protection
- Hunt for signs of watering-hole or targeted mobile exploitation if you support exposed users in regions named by Google
Quick patch snapshot
| Platform | Apple update mentioned in official advisories |
|---|---|
| iPhone and iPad | iOS 18.7.2 / iPadOS 18.7.2 fixed CVE-2025-43510 and CVE-2025-43520 |
| Mac | macOS Sequoia 15.7.2 fixed CVE-2025-43510 and CVE-2025-43520 |
| Apple Watch | watchOS 26.1 fixed CVE-2025-43510 and CVE-2025-43520 |
| Safari and WebKit-related products | Safari 18.6 and related platform updates addressed CVE-2025-31277 |
FAQ
Yes. CISA added them to the KEV catalog, which means the agency has evidence of active exploitation.
No. Google says DarkSword uses six vulnerabilities. The three Apple CVEs CISA just highlighted are part of the current warning, but Google’s public DarkSword table includes more than those three.
CISA’s KEV listing shows April 3, 2026 as the due date for federal agencies for CVE-2025-31277, and reporting on the March 20 KEV batch says the same due date applies to the Apple entries added in that round.
At minimum, affected users should move to patched releases such as iOS 18.7.2, iPadOS 18.7.2, macOS Sequoia 15.7.2, and watchOS 26.1, then continue to newer releases where available. Google also urges users to update to the latest iOS version.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages