Apple has expanded iOS 18 security update eligibility to additional iPhone models, ensuring that more devices receive protection against the DarkSword exploit kit — an iOS attack framework that has been actively exploited in targeted campaigns since early 2026.
What Is DarkSword?
DarkSword is a sophisticated iOS exploit kit first disclosed in late March 2026 that targets vulnerabilities in Apple's WebKit and dyld dynamic linker to achieve code execution on iPhone and iPad devices. The kit was linked to threat actor group TA446 (also tracked as DarkSword APT), which deployed it in spear-phishing campaigns targeting journalists, diplomats, and government personnel.
The kit's capabilities include:
- Zero-click or one-click delivery via malicious Safari links or iMessage attachments
- WebKit memory corruption leading to renderer-level code execution
- dyld exploitation (CVE-2026-20700) for privilege escalation
- Persistence mechanisms that survive device reboots on unpatched devices
In late March 2026, GitHub leaked source code and documentation associated with DarkSword, raising alarms that a previously nation-state-grade iOS exploit toolkit could proliferate to less sophisticated threat actors.
What Apple Has Done
Apple's response has proceeded in stages:
- Initial patches shipped with iOS 18.4.1 and iPadOS 18.4.1 in late March 2026 for the most current devices
- Extended eligibility — Apple has now made it possible for older iPhones still running iOS 18 (but ineligible for iOS 19) to receive targeted security updates covering the DarkSword vulnerabilities without upgrading to the next major iOS version
This approach mirrors Apple's Rapid Security Response (RSR) model, where critical patches can be delivered independently of full OS updates. The expansion is specifically intended to protect devices that remain on iOS 18 due to hardware limitations or user preference, which would otherwise be left exposed.
Affected iPhones and Eligibility
| Device | iOS 18 Update Available | Notes |
|---|---|---|
| iPhone 13 series | Yes | Full iOS 18.x updates |
| iPhone 12 series | Yes | Extended patch eligibility |
| iPhone 11 series | Yes | Extended patch eligibility |
| iPhone XS / XR | Yes (limited) | Security-only RSR delivery |
| iPhone SE (2nd gen) | Yes (limited) | Security-only RSR delivery |
Devices that have already updated to iOS 19 are protected via that update channel.
How to Apply the Update
Users should update immediately:
- Go to Settings → General → Software Update
- If an update appears, tap Download and Install
- If no update is listed, ensure your device is not restricted by an MDM policy blocking updates
For enterprise devices managed via MDM:
# Force supervised device software update check (Apple MDM protocol)
# POST /mdm/device command:
{
"RequestType": "ScheduleOSUpdate",
"Updates": [
{
"ProductKey": "iOS18SecurityUpdate",
"InstallAction": "InstallASAP"
}
]
}Why This Matters
The DarkSword leak changed the threat calculus significantly. Prior to the leak, DarkSword-class capabilities were assumed to be limited to well-resourced nation-state actors. After the leak, the barrier for sophisticated iOS exploitation dropped considerably.
Security researchers warn that any iPhone running iOS 18 without the latest security patches is now a realistic target for opportunistic attackers who may repurpose the leaked DarkSword tooling — not just the original TA446 group.
Recommended Actions
- Update all iPhones immediately — prioritize devices used for sensitive communications
- Enable Lockdown Mode on high-risk devices (journalists, executives, government personnel) — Settings → Privacy and Security → Lockdown Mode
- Avoid clicking unsolicited links in iMessage, email, or Safari — DarkSword has been delivered via one-click Safari exploits
- Audit MDM policies to ensure iOS updates are not inadvertently blocked across your device fleet
- Monitor for indicators such as unexplained battery drain, unexpected data usage, or device slowdowns (potential signs of compromise)
Source: BleepingComputer — April 1, 2026