DarkSword Unleashed: CISA Mandates Emergency Apple Patching
March 21, 2026 • 10 min read
Three critical vulnerabilities in iOS and macOS have been added to the Known Exploited Vulnerabilities catalog as the "DarkSword" spyware campaign intensifies.
On March 21, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency update to its Known Exploited Vulnerabilities (KEV) Catalog. The agency added three high-severity flaws targeting Apple’s ecosystem: CVE-2025-31277 (WebKit), CVE-2025-43510 (Kernel), and CVE-2025-43520 (Security Framework). These flaws form the core of the "DarkSword" exploit chain, a sophisticated spyware delivery mechanism currently being used by mercenary threat actors to target journalists and government officials globally. Under Binding Operational Directive (BOD) 22-01, federal agencies must remediate these flaws by April 4, though private sector organizations are urged to patch within 24 hours.
The DarkSword Chain: WebKit to Kernel
The "DarkSword" campaign is a masterclass in modern mobile exploitation. The chain typically begins with a one-click WebKit exploit (CVE-2025-31277) delivered via a malicious link in iMessage or WhatsApp. Once the victim’s browser is compromised, the attacker leverages a kernel-level memory corruption flaw (CVE-2025-43510) to bypass Apple’s sandbox protections. The final stage involves CVE-2025-43520, which allows the spyware to gain persistent, high-privilege access to the device’s microphone, camera, and encrypted message databases.
What makes DarkSword particularly dangerous is its ability to bypass Lockdown Mode in specific iOS 19.x configurations. While Lockdown Mode significantly reduces the attack surface, the attackers have found a novel path through the modernized Apple Security Framework's "Trusted Execution" modules, which were designed to improve security but inadvertently introduced a new race condition.
Mercerary Spyware in 2026
Security firm Citizen Lab, which co-reported the findings with Apple, notes that the DarkSword spyware appears to be a successor to earlier commercial tools like Pegasus. However, it features a new "Volatile Payload" architecture—the spyware exists primarily in the device's RAM and attempts to self-delete its binary footprint if it detects an active debugging session or a forensic audit. This makes traditional mobile forensics incredibly difficult, requiring real-time network monitoring to identify the exfiltration of data.
Secure Your Logs with ByteNotes
During a zero-day event, tracking your incident response is critical. Use ByteNotes to maintain secure, out-of-band logs of your device audits and patching status.
Remediation: Urgent Patching Required
Apple has released iOS 19.4.1 and macOS 16.3.2 to address these vulnerabilities. Security teams should prioritize the following actions:
- Force Updates: Use MDM (Mobile Device Management) to force-install the latest Apple security updates on all corporate devices.
- Audit iMessage Logs: Look for unusual URLs or short-links delivered via iMessage from unknown contacts over the last 30 days.
- Enable Advanced Data Protection: Ensure that end-to-end encryption for iCloud backups is enabled to prevent exfiltration from the cloud if the device is compromised.
- Monitor Egress: Watch for unusual HTTPS traffic to high-entropy domains, a hallmark of the DarkSword exfiltration engine.
Conclusion: The Perpetual Arms Race
The addition of the DarkSword vulnerabilities to the CISA KEV catalog is a reminder that the mobile security landscape remains a perpetual arms race. Even as Apple hardens its hardware and software, the economic incentives for state-sponsored and mercenary attackers remain immense. In 2026, "zero-day" is no longer a rare event but a weekly reality for enterprise security teams. The message from CISA is clear: patch today, or assume you are already sharing your data with the next generation of spyware.