Five Actively Exploited Flaws Added to CISA's Known Exploited Vulnerabilities Catalog
CISA added five security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on March 21, 2026, ordering federal agencies to apply patches by April 3, 2026. Three of the flaws are linked to a sophisticated iOS exploit kit codenamed DarkSword.
| CVE | Product | CVSS | Type |
|---|---|---|---|
| CVE-2025-31277 | Apple WebKit | 8.8 | Memory corruption via web content |
| CVE-2025-43510 | Apple Kernel | 7.8 | Memory corruption (inter-process) |
| CVE-2025-43520 | Apple Kernel | 8.8 | Memory corruption (kernel write) |
| CVE-2025-32432 | Craft CMS | 10.0 | Code injection → RCE |
| CVE-2025-54068 | Laravel Livewire | 9.8 | Unauthenticated RCE |
The DarkSword iOS Exploit Kit
Google Threat Intelligence Group (GTIG), iVerify, and Lookout documented an iOS exploit kit called DarkSword that chains the three Apple vulnerabilities together to deploy multiple malware families:
- GHOSTBLADE — Primary implant for persistent device access
- GHOSTKNIFE — Data exfiltration module targeting messaging apps
- GHOSTSABER — Credential harvesting and keylogging component
The exploit chain requires only that a target visit a malicious webpage, making it a zero-click attack when combined with a phishing link delivered via SMS or messaging apps.
Craft CMS Zero-Day (CVE-2025-32432)
The Craft CMS vulnerability carries the maximum CVSS 10.0 score and has been exploited as a zero-day since February 2025. An intrusion set tracked as Mimo (aka Hezb) has been observed exploiting it to deploy cryptocurrency miners and residential proxyware on compromised servers.
Laravel Livewire RCE (CVE-2025-54068)
The Laravel Livewire flaw allows unauthenticated attackers to achieve remote command execution in specific configurations. With Laravel powering millions of web applications globally, the exposure surface is significant.
| Impact Area | Description |
|---|---|
| iOS Devices | Zero-click exploitation via malicious web content |
| Web Servers | RCE on Craft CMS and Laravel Livewire installations |
| Data Theft | DarkSword deploys multiple espionage malware families |
| Crypto Mining | Mimo group leveraging Craft CMS for mining operations |
| Federal Deadline | All agencies must patch by April 3, 2026 |
Recommendations
For iOS Users
- Update to the latest iOS/iPadOS immediately
- Enable Lockdown Mode if you are a high-risk target
- Avoid clicking links from unknown sources
For Web Developers
- Craft CMS: Update to version 4.14.16 or 5.6.18+ immediately
- Laravel Livewire: Update to version 3.6.4+ or apply the security patch
- Audit server logs for signs of exploitation
Key Takeaways
- DarkSword is a nation-state-grade iOS exploit kit chaining three vulnerabilities for zero-click compromise
- GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER form a complete espionage toolkit targeting messaging app data
- Craft CMS CVE-2025-32432 has been exploited for over a year with a perfect CVSS 10.0 score
- Laravel Livewire's unauthenticated RCE affects millions of web applications globally
- Federal agencies have until April 3 to remediate all five vulnerabilities