John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
CISA adds things to the Known Exploited Vulnerabilities catalog when there’s evidence of real attackers hitting real victims. Not theoretical risk. Already happening. On March 21, five more went on the list with an April 3 patch deadline for federal agencies.
If you’re not a federal agency, that deadline doesn’t apply to you. The exploitation does.
Three of the five are Apple vulnerabilities, all connected to the DarkSword iOS exploit kit. Google’s Threat Intelligence Group, iVerify, and Lookout all identified the connection. This isn’t a scattered set of unrelated bugs. It’s a kit built to chain Apple vulnerabilities into something useful.
The headliner is CVE-2025-31277, a WebKit memory corruption flaw scoring 8.8. WebKit is the engine underneath Safari and, because Apple requires it, every browser on iOS. A malicious web page can trigger it. No download required, no attachment to avoid. Just load the wrong page. CVE-2025-43510 and CVE-2025-43520 round out the Apple trio.
If you’re in the Apple ecosystem and haven’t updated, you’re running software a known exploit kit is actively targeting. Apple has patches out. The question is whether you’ve installed them.
Then there’s Craft CMS. CVE-2025-32432 is a CVSS 10.0 remote code execution flaw. That’s a perfect score on a widely deployed content management system. The related CVE-2024-58136 in Yii Framework (Craft’s foundation) scored 9.0. Both are being exploited. If you run Craft, patch now.
Laravel Livewire rounds out the list with a 9.8 RCE. Laravel powers a lot of web applications that don’t advertise that fact. Check your stack.