Apple issues urgent lock screen warnings for unpatched iPhones and iPads

Apple is alerting users of outdated iPhones and iPads via lock screen warnings about active web-based exploits, urging immediate software updates.

Apple is sending lock screen alerts to users running outdated iOS and iPadOS versions, warning of active web-based attacks targeting their devices. The notifications urge users to install critical updates to stay protected, highlighting ongoing exploitation of older software versions.

“The alerts, which appear as a “Critical Software” notification from the Settings app, warn that Apple “is aware of attacks targeting out-of-date iOS software, including the version on your iPhone,” and urge users to install a critical update to protect their device.” reported MacRumors.”The notifications are being seen on devices running a range of older iOS versions, including iOS 17.0, far beyond the iOS 13 and iOS 14 devices that Apple specifically flagged in its support documentation.”

Apple warns that exploit kits like “Coruna” and “DarkSword” are actively targeting iOS versions 13 through 17.2.1. The company warns that on unpatched devices, simply clicking a malicious link or visiting a compromised website could allow attackers to exploit vulnerabilities and steal sensitive data.

“If your iPhone doesn’t have the latest software, update iOS to protect your data,” states Apple.

Coruna targets iOS versions 13.0 to 17.2.1, while DarkSword is aimed at newer devices running iOS 18.4 to 18.7.

Recently, Apple warned that iPhones running outdated iOS versions are at risk from exploit kits like Coruna and DarkSword. These attacks use malicious web content to trigger infection chains that can steal sensitive data. Users are strongly advised to update their devices to stay protected.

“Security researchers recently identified web-based attacks that target out-of-date versions of iOS through malicious web content. For example, if you’re using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen.” reads Apple’s advisory. “We thoroughly investigated these issues as they were found and released software updates as quickly as possible for the most recent operating system versions to address vulnerabilities and disrupt such attacks.”

Keeping the iPhone updated is the most effective way to stay protected from threats like Coruna and DarkSword. Devices running the latest iOS versions are not vulnerable, and Lockdown Mode also blocks these attacks, even on older systems, though updates are still strongly recommended.

If your iPhone runs an older iOS version, take action:

• Devices on iOS 15 to iOS 26 are already protected if fully updated
• Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices
• Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update
• Safari’s Safe Browsing feature helps block known malicious domains by default

Updating ensures user data remains secure.

This week, Kaspersky researchers reported that the Coruna iOS exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign. While early evidence didn’t clearly link the two, the code similarities now suggest a possible connection between them, though shared vulnerabilities alone don’t definitively prove the same actors are behind both attacks.

Researchers collected and analyzed Coruna components, confirming strong code similarities. The kit also includes four additional kernel exploits, some developed after Triangulation, all built on the same framework.

These findings suggest Coruna is not a mix of reused parts but a more advanced evolution of the same exploitation framework behind Operation Triangulation.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Coruna)