WebKit Vulnerability and DarkSword Exploit

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Enforce Patches: Immediately set your mobile security policy to enforce the minimum patched operating system versions iOS/iPadOS 18.6 across your entire Apple mobile fleet. (Note: DarkSword targets 18.4 – 18.7)
Set Policy: Set the default OS Out of Date policy in your management console to require the fixed versions released by Apple to address this flaw.
Limit Access: Choose to immediately warn or block non-compliant devices from accessing work applications and data until the OS is updated. If your risk policies allow for a grace period, it should be very short and escalate in severity and limitation to the user.
Integrate Data: Security teams should leverage mobile EDR to integrate mobile device and app vulnerability data into their SIEM, SOAR, or XDR solution to monitor for potential exploitation attempts by sophisticated threat actors.

Overview

CISA has listed CVE-2025-31277 as a high-severity (CVSS 8.8) memory corruption vulnerability (specifically a buffer overflow) affecting Apple's WebKit engine and its implementation in various operating systems and Linux distributions (via WebKitGTK). This memory corruption vulnerability occurs when maliciously crafted web content is processed by the WebKit engine. Successful exploitation can result in memory corruption that may allow an attacker to execute arbitrary code on the affected device. This vulnerability carries a high severity rating due to its ability to be triggered remotely through web content.

As of March 2026, this vulnerability is gaining significant attention because it was recently identified as a key entry point for the "DarkSword" exploit kit, a sophisticated surveillance and data-exfiltration tool used by multiple threat actors. This vulnerability has been observed as part of real-world attack chains used to deploy sophisticated malware targeting Apple devices. The flaw has been addressed with improved memory handling in updated Apple operating system releases.

Apple is aware of reports that this issue may have been exploited in "an extremely sophisticated attack against specific targeted individuals" on versions of iOS before iOS 18.6. Apple announced patches with the release of Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6.

CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) Catalog. Federal Civilian Executive Branch (FCEB) agencies are required to remediate CVE-2025-31277 by April 3, 2026. While CISA’s requirement is only for the U.S. government, enterprise organizations should use their guidance as a benchmark and devise an update plan of their own with a deadline for employees to update to the latest versions of Apple’s operating systems.

Lookout Analysis

This CVE is the primary "1-click" initial access vector for the “DarkSword” exploit kit.

Initial Access: CVE-2025-31277 serves as the primary "1-click" initial access vector used by the DarkSword exploit kit. The victim is lured to visit a malicious or compromised website containing specially crafted web content.
Exploitation: The malicious content exploits CVE-2025-31277 to achieve initial code execution within the browser sandbox.
Chaining: This vulnerability is then combined with additional flaws (such as sandbox bypass vulnerabilities like CVE-2026-20700) to escape browser protections, escalate privileges to the kernel level, and deploy spyware.
Impact: Successful exploitation can result in full device compromise, enabling attackers to collect sensitive data including messages, location information, and audio or camera recordings.