I just got done writing about VMware Aria Operations being added to CISA’s Known Exploited Vulnerabilities catalog — management console, admin bypass, actively exploited, patch immediately — and before I’d even updated the slug I get the alert: CISA has added Apple iOS vulnerabilities to the KEV list. Again. Because we do this every few months now, apparently. CISA adds iOS flaws to the KEV, Apple pushes an emergency update, the tech press writes “update your iPhone now,” and a significant percentage of iPhone users either dismiss the notification, delay the update because it takes twenty minutes, or are running an iPhone old enough that it doesn’t qualify for the patch. Those people are the ones getting hit.

Let me be very clear about what it means when CISA adds something to the Known Exploited Vulnerabilities catalog, because the word “exploited” is doing a lot of work that people skip over. This isn’t “theoretically exploitable given a specific set of unlikely circumstances.” This is: CISA has evidence that real attackers are actively using this vulnerability against real targets right now. The KEV exists specifically to distinguish between the vast universe of disclosed CVEs — many of which are never actually weaponized — and the smaller, critical set of vulnerabilities that are actively being used in ongoing attacks. When something lands on the KEV, the question isn’t “should I patch eventually?” It’s “why haven’t I patched already?”

What CISA Flagged

Per InnovateCybersecurity’s March 9, 2026 top-10 roundup and reporting from The Hacker News, CISA added multiple Apple iOS vulnerabilities to the KEV catalog, triggering mandatory remediation timelines for Federal Civilian Executive Branch agencies and an urgent patching recommendation for all organizations and individuals running affected iOS versions. The vulnerabilities affect iOS and iPadOS, and in at least some cases, the associated attack chains are described as having been used in targeted attacks against specific high-value individuals before Apple patched and before public disclosure.

Apple’s security model is worth understanding in this context, because it shapes both how these vulnerabilities get exploited and why so many people are complacent about patching. iOS runs on more than a billion active devices globally. Those devices carry email, messages, authentication credentials, location data, financial information, and in many cases corporate VPN access and MDM-managed enterprise applications. An iOS zero-day isn’t just a way to compromise one phone. It’s a way to compromise one phone that happens to also be an access point into corporate email, a corporate VPN client, an MFA authenticator, a password manager, and a real-time location beacon.

The exploitation pattern for high-severity iOS vulnerabilities — particularly those involving kernel exploits or WebKit parser flaws — has been well-documented by groups like Citizen Lab and Amnesty International Tech. Nation-state actors, particularly those operating commercial spyware infrastructure like NSO Group’s Pegasus or the various competing products that have emerged since Pegasus became too politically toxic, use iOS zero-days as the core delivery mechanism for mobile surveillance implants. A single chained iOS exploit sequence — typically a WebKit parser flaw combined with a kernel privilege escalation — provides full device compromise: all data accessible, microphone and camera activatable, real-time location trackable, message content readable before encryption, credentials extractable.

As I wrote in my earlier post on the Android zero-day CVE-2026-21385 active exploitation, mobile platform zero-days are no longer exotic nation-state capabilities available only to the most sophisticated intelligence agencies. The commercial spyware industry has made mobile exploitation available to any government — or non-state actor with sufficient resources — that wants to pay for it. The CVEs that end up on CISA’s KEV list are frequently the ones where the commercial spyware chains got burned because a researcher found one of the targeted devices and extracted the exploit from it. The vulnerability was being exploited before it was disclosed. KEV listing happens after discovery, not before use.

The implication: by the time CISA adds an iOS CVE to the KEV, the vulnerability has likely already been used against its intended targets. The people who needed zero-click protection before anyone knew about the flaw either got it through Apple’s Lockdown Mode, had devices patched through a rapid security response, or got compromised. The mass-market patching urgency is about preventing the second wave — the opportunistic and commercial exploitation that follows after a vulnerability is known and exploit code is more widely available.

Who Gets Hit and Why It Matters Beyond Infosec

Here’s where I lose patience with the portion of the security community that treats mobile security as a consumer problem rather than an enterprise one.

The targets of active iOS exploitation include: journalists, human rights activists, defense attorneys, political opposition figures, business executives with sensitive IP, government officials both foreign and domestic, and enterprise employees with access to high-value corporate systems. In every single case where Citizen Lab or Amnesty Tech has forensically confirmed iOS zero-day exploitation, the target was a real person with a life, a job, family members who could be identified through the compromised device’s contacts, and in several cases a physical safety risk from having their location continuously reported to an adversary.

For enterprise security teams: your executives are walking around with iPhones that contain their email credentials, their TOTP codes, their VPN client certificates, and their access to every SaaS application the company runs. One iOS zero-day against the CFO’s personal iPhone — which is probably also enrolled in MDM and configured with corporate email — is a potential path to financial fraud, intellectual property theft, or corporate espionage that bypasses every endpoint control on your corporate network. The iPhone isn’t inside the perimeter. The iPhone is the perimeter.

And the corporate application landscape has made this worse, not better. We pushed email to mobile. We pushed MFA authenticators to mobile. We pushed passwordless authentication via mobile push notifications. Every single one of those mobile-first security controls is potentially compromised by a successful iOS zero-day exploitation. The device that’s supposed to be the second factor in your MFA implementation is the attack surface.

My research on the quantum threat to national security infrastructure addresses how sophisticated adversaries think about intelligence collection infrastructure, and mobile devices are now a primary collection target precisely because of how much sensitive data they aggregate. You don’t need to break someone’s encryption if you own the device before the message gets encrypted.

What Went Wrong — The Structural Problem with Mobile Patching

Apple pushes updates. Apple’s updates are generally good. Apple’s security engineering is genuinely excellent compared to most of the industry. None of that matters if users don’t install the patches.

The enterprise mobile patching problem is specific and solvable but routinely unsolved. MDM platforms — Jamf, Microsoft Intune, VMware Workspace ONE, others — provide the capability to enforce minimum OS version requirements on managed devices. If a device isn’t running at least iOS X.Y.Z, MDM policy blocks access to corporate email and applications until the update is applied. This is the mechanism that converts “we strongly recommend patching” into “you have no choice but to patch.” And a significant number of enterprise MDM deployments don’t have these minimum version enforcement policies configured, either because they were never set up, because IT was worried about user complaints from forced updates, or because devices enrolled in MDM include personal devices under BYOD programs where the enterprise feels less authority to enforce.

The BYOD problem is real and getting worse. Employees who enroll personal devices in corporate MDM for the convenience of accessing corporate email on their personal phone are generally less tolerant of forced OS updates than they would be on a corporate-issued device. And from a security architecture standpoint, a personal iPhone enrolled in corporate MDM but running an unpatched iOS version is exactly the attack surface that a nation-state targeting your organization would look for. The corporate device with enforced patching is protected. The personal device is not. The adversary doesn’t care about the distinction.

The second problem is iOS update adoption patterns. Despite Apple’s best-in-class update delivery infrastructure, a significant percentage of the installed iOS base at any given moment is running older versions. Older devices that are no longer supported by the latest iOS updates are a permanent population of permanently vulnerable devices. If your company allows employees to access corporate email or use corporate authenticators on unsupported iPhones — devices that literally cannot receive the patches CISA just mandated — you have a structural exposure you need to address at the MDM policy level.

The Fixer’s Advice — Here’s Exactly What You Do

1. Update every iPhone and iPad you own or manage, right now. Go to Settings → General → Software Update. If there’s an update available, install it. If you manage iOS devices through MDM, push the update or enforce the minimum version policy. Don’t wait to see if there are compatibility issues. The risk of running an actively exploited iOS vulnerability vastly outweighs the risk that an iOS update breaks something on your device.

2. Configure MDM minimum iOS version enforcement. In Jamf, Intune, Workspace ONE, or whatever MDM platform you run: set a compliance policy that flags devices running below the current iOS major release as non-compliant, and configure conditional access to block non-compliant devices from accessing corporate email, VPN, and any MDM-managed applications. This converts OS patching from a recommendation into a business condition for device access. It works. It’s the right tool for this problem.

3. Implement Apple’s Lockdown Mode for your highest-risk users. Lockdown Mode is Apple’s maximum-security configuration, introduced in iOS 16, that dramatically restricts iOS attack surface by disabling WebKit JIT compilation (which eliminates a major class of browser-based exploit), blocking most message attachment types, disabling FaceTime from unknown contacts, and restricting wired device connections. It is explicitly designed for users at high risk of targeted nation-state surveillance — journalists, executives, senior officials, security researchers. If you have anyone in your organization who meets that description, get them on Lockdown Mode today. The usability tradeoffs are real but manageable for the relevant population.

4. Deploy an MTD solution for managed mobile devices. Mobile Threat Defense platforms — Lookout, Zimperium, Crowdstrike Falcon for Mobile, Microsoft Defender for Endpoint on iOS — provide active threat detection on managed iOS devices including detection of exploitation attempts, anomalous application behavior, network-level indicators of compromise, and OS integrity checks. They’re not a substitute for patching, but they provide the detection layer that Apple’s built-in security doesn’t expose to enterprise security teams. If you’re managing a fleet of iOS devices for a security-sensitive organization and you don’t have MTD deployed, you are flying blind on your mobile attack surface.

5. Review BYOD policy for minimum supported iOS versions. Explicitly define and enforce minimum supported iOS versions for any personal device that accesses corporate resources. If a device model can’t be updated to a supported iOS version because Apple has dropped support for that hardware, remove it from BYOD enrollment. A personal iPhone 10 running iOS 15 is not an acceptable corporate access point in 2026. Write the policy. Enforce it in MDM.

6. Brief your security team on commercial spyware targeting patterns. The Citizen Lab and Amnesty International Security Lab publish detailed forensic reports on iOS spyware campaigns. Read them. Understanding what targeting criteria commercial spyware operators use, what initial infection vectors they favor, and what behavioral indicators appear on compromised devices helps you identify whether your high-risk users are being actively targeted before a forensic incident becomes public news. The resources are free. Use them.

The pattern here is relentless and predictable. iOS zero-day found. iOS zero-day exploited against high-value targets. iOS zero-day disclosed after exploit burned. Apple patches. CISA mandates. Most enterprises scramble. A bunch of people don’t patch in time. Some percentage of those unpatched devices get exploited by the second wave of attackers with access to the burned exploit. The only variable you control is whether your devices are in the patched category or the unpatched category when the second wave hits.

Update your phone. Then update your MDM policy so you don’t have to rely on people choosing to update their phones.