← Back to Security Blog
Product Update March 8, 2026 10 min read

Coruna iOS Exploit Kit Hits KEV, Cisco SD-WAN Under Mass Exploitation, Google Counts 90 Zero-Days in 2025

CISA adds the Coruna iOS exploit kit targeting 23 vulnerabilities to its Known Exploited Vulnerabilities list. Cisco Catalyst SD-WAN CVE-2026-20127 faces mass exploitation from hundreds of IPs. Google's 2025 zero-day report reveals 90 exploited zero-days — half targeting enterprises. Plus: ArmorCode and Evervault funding rounds, BoryptGrab stealer on GitHub, and Rockwell ICS flaws exploited in the wild.


🍎 CISA Adds Coruna iOS Exploit Kit Flaws to KEV

⚠️ Federal Agencies Must Patch Immediately

CISA has added 23 vulnerabilities exploited by the Coruna iOS exploit kit to its Known Exploited Vulnerabilities (KEV) catalog. The nation-state-grade exploit kit targets iOS versions 13 through 17.2.1, chaining multiple flaws for full device compromise.

Key Details

Exploit Chain Architecture

StageVulnerability TypeImpact
Initial AccessWebKit memory corruptionRemote code execution via malicious web content
Sandbox EscapeKernel privilege escalationBreak out of WebKit sandbox
PersistenceSecurity framework bypassCircumvent code signing and app sandboxing
Full CompromiseKernel read/write primitiveComplete device control, data exfiltration

📱 Action Required

Federal agencies face a mandatory patching deadline. All organizations should update iOS devices to the latest version immediately and audit their fleet for devices running iOS 13–17.2.1. Enterprise MDM solutions should enforce minimum OS version policies.


🌐 Cisco Catalyst SD-WAN CVE-2026-20127 Under Mass Exploitation

⚠️ Active Mass Exploitation in Progress

WatchTowr researchers report that CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN Manager, is now under mass exploitation from numerous unique IP addresses worldwide.

Vulnerability Overview

Exploitation Telemetry

MetricValue
Unique attacking IPs400+ observed by WatchTowr
Geographic spreadGlobal — US, EU, APAC origins
First exploitationLate February 2026 (targeted)
Mass exploitation onsetMarch 6, 2026
Affected versionsAll Catalyst SD-WAN Manager prior to patch

🛡️ Immediate Actions

Patch immediately — Cisco released emergency patches. If patching isn't possible, restrict management interface access to trusted networks only. Check logs for unauthorized administrative sessions and API calls. Assume compromise if exposed to the internet.


📊 Google's 2025 Zero-Day Report: 90 Exploited Vulnerabilities

⚠️ Enterprise Targeting Reaches New High

Google's Threat Analysis Group (TAG) and Mandiant have published their annual zero-day exploitation report for 2025, documenting 90 zero-day vulnerabilities exploited in the wild — with a dramatic shift toward enterprise product targeting.

Key Findings

Zero-Day Trends 2023–2025

YearTotal Zero-DaysEnterprise-TargetedTop Attribution
20236224 (39%)Spyware vendors
20247333 (45%)Spyware vendors
20259045 (50%)Spyware vendors + China

🎯 Strategic Takeaway

The 50% enterprise targeting rate signals that attackers are shifting from consumer endpoints to enterprise infrastructure. Network security appliances (firewalls, VPNs) are now the #1 target class — organizations must prioritize patching edge devices and implementing defense-in-depth for network perimeters.


💰 ArmorCode Raises $16M for Exposure Management Platform

ArmorCode, the application security posture management (ASPM) company, has raised $16 million in new funding to accelerate development of its exposure management platform.

💡 Market Signal

The ASPM market continues to grow as organizations struggle with tool sprawl — the average enterprise runs 40+ security tools generating thousands of alerts daily. Consolidation platforms like ArmorCode address alert fatigue by providing unified visibility and intelligent prioritization.


🔐 Evervault Raises $25M Series B for Developer-Focused Encryption

Evervault has closed a $25 million Series B round to expand its developer-focused encryption and data orchestration platform.

💡 Why It Matters

As data privacy regulations tighten globally, Evervault's approach of making encryption developer-friendly addresses a critical gap. Most breaches exploit data stored in plaintext or with weak encryption — Evervault aims to make strong encryption the path of least resistance for developers.


🦠 BoryptGrab Stealer Spreads via 100+ GitHub Repositories

⚠️ Supply Chain Attack via GitHub

Security researchers have identified over 100 malicious GitHub repositories distributing the BoryptGrab information stealer, targeting browser credentials, cryptocurrency wallet data, and session tokens.

Attack Methodology

BoryptGrab Capabilities

🛡️ Developer Protection

Verify GitHub repositories before cloning — check account age, commit history, and contributor profiles. Use dependency scanning tools in CI/CD pipelines. Never run code from unfamiliar repositories without review. Consider using GitHub's verified publisher badges as a trust signal.


🏭 Rockwell ICS Vulnerability Exploited in the Wild — Disclosed in 2021

⚠️ Legacy ICS Vulnerability Now Under Active Exploitation

A Rockwell Automation ICS vulnerability originally disclosed in 2021 is now being actively exploited in the wild, highlighting the persistent risk of unpatched industrial control systems.

🏭 OT Security Reminder

This exploitation underscores the OT patching gap — vulnerabilities disclosed years ago remain unpatched in many industrial environments. Organizations must implement network segmentation, monitor OT traffic for anomalies, and prioritize patching internet-facing ICS components. The convergence of IT and OT means enterprise vulnerabilities directly impact industrial safety.


📋 Summary & Action Items

Threat / EventSeverityAction Required
Coruna iOS exploit kit → KEV🔴 CriticalPatch all iOS devices, enforce MDM minimum versions
Cisco SD-WAN CVE-2026-20127🔴 CriticalPatch immediately, restrict management access
Google 90 zero-days report🟠 HighPrioritize edge device patching, defense-in-depth
ArmorCode $16M raise🟢 InfoEvaluate ASPM for vulnerability consolidation
Evervault $25M Series B🟢 InfoConsider encryption-as-code for data protection
BoryptGrab on GitHub🟠 HighAudit dependencies, scan for malicious packages
Rockwell ICS exploitation🔴 CriticalPatch OT systems, segment networks, monitor traffic

Protect Your Infrastructure with AI-Powered Security Testing

KENSAI continuously scans for vulnerabilities, misconfigurations, and indicators of compromise — detecting threats like Coruna exploit chains and SD-WAN bypasses before attackers strike.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Product & Research Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles