Ethical Hacking News
DarkSword is a highly sophisticated iOS kernel exploit that uses six different vulnerabilities to gain full control over vulnerable devices. This complex attack chain leverages several browser exploits, including memory corruption vulnerabilities in JavaScriptCore and ANGLE, as well as a PAC bypass in dyld.
DarkSword is a highly sophisticated exploit targeting vulnerabilities in Apple's iOS kernel, allowing attackers to gain full control over vulnerable devices. The exploit uses six different vulnerabilities to fully compromise an iOS device and run a final payload with full kernel privileges. DarkSword exploits CVE-2025-31277, CVE-2026-20700, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520 to bypass security features and deliver a final payload. The exploit chain has three phases: Web Content Sandbox Escape, GPU Sandbox Escape, and Local Privilege Escalation and Final Payload.
DarkSword is a highly sophisticated and complex exploit that targets vulnerabilities in Apple's iOS kernel, allowing attackers to gain full control over vulnerable devices. According to recent research, DarkSword uses six different vulnerabilities to fully compromise an iOS device and run a final payload with full kernel privileges.
The first vulnerability exploited by DarkSword is CVE-2025-31277, a memory corruption vulnerability in JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. This vulnerability was patched in Safari with the release of iOS 18.6, but DarkSword managed to bypass this mitigation.
Another vulnerability exploited by DarkSword is CVE-2026-20700, a Pointer Authentication Codes (PAC) bypass in dyld, which allows the attacker to execute arbitrary code within the dyld process. This vulnerability was patched in iOS 26.3.
DarkSword also exploits CVE-2025-43529 and CVE-2025-14174, both of which are memory corruption vulnerabilities in JavaScriptCore and ANGLE respectively. These vulnerabilities were also patched in various iOS versions.
To bypass Safari's renderer process (known as WebContent) security feature, DarkSword fetches an exploit called sbox0_main_18.4.js or sbx0_main.js, which leverages CVE-2025-14174 to execute arbitrary code within the GPU process.
The final payload is delivered by a module called pe_main.js, which uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation. This vulnerability was patched in iOS 18.7.2 and 26.1.
DarkSword's exploit chain has several phases:
* **Web Content Sandbox Escape**: DarkSword uses CVE-2025-14174 to break out of the WebContent sandbox.
* **GPU Sandbox Escape**: The attack leverages another vulnerability, CVE-2025-43510, to escape the GPU sandbox.
* **Local Privilege Escalation and Final Payload**: The exploit delivers a final payload using CVE-2025-43520.
The researchers concluded that GHOSTBLADE was likely developed by the DarkSword developers based on the consistency in coding styles and the tight integration between it and the library code.
Related Information:
https://www.ethicalhackingnews.com/articles/DarkSword-Exploit-A-Sophisticated-iOS-Kernel-Vulnerability-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/
https://nvd.nist.gov/vuln/detail/CVE-2025-31277
https://www.cvedetails.com/cve/CVE-2025-31277/
https://nvd.nist.gov/vuln/detail/CVE-2026-20700
https://www.cvedetails.com/cve/CVE-2026-20700/
https://nvd.nist.gov/vuln/detail/CVE-2025-43529
https://www.cvedetails.com/cve/CVE-2025-43529/
https://nvd.nist.gov/vuln/detail/CVE-2025-14174
https://www.cvedetails.com/cve/CVE-2025-14174/
https://nvd.nist.gov/vuln/detail/CVE-2025-43510
https://www.cvedetails.com/cve/CVE-2025-43510/
https://nvd.nist.gov/vuln/detail/CVE-2025-43520
https://www.cvedetails.com/cve/CVE-2025-43520/
Published: Wed Mar 18 11:16:16 2026 by llama3.2 3B Q4_K_M
