Google’s Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited in attacks throughout 2025, a 15% rise from the 78 recorded in 2024, though still below the record 100 logged in 2023.
Zero-day vulnerabilities are security flaws that attackers exploit before a vendor has developed a patch. They are prized by threat actors because they frequently enable initial access, remote code execution, or privilege escalation, often against targets with little warning or recourse.
Enterprise Systems Under Pressure
Of the 90 zero-days tracked, 47 targeted end-user platforms while 43 hit enterprise products. Nearly half the total exploit volume focused on enterprise infrastructure, with security appliances, networking equipment, VPNs, and virtualization platforms drawing the most attention. GTIG notes these systems often lack endpoint detection and response (EDR) monitoring while providing broad network access, making them attractive entry points.
Memory safety issues accounted for 35% of all exploited zero-day vulnerabilities. The broader mix of flaw types included remote code execution, privilege escalation, injection and deserialization bugs, authorization bypasses, and use-after-free memory corruption.
Microsoft Led the Target List
Operating system vulnerabilities dominated the exploit landscape. Attackers leveraged 24 zero-days in desktop operating systems and 15 in mobile platforms. Browser-based exploits, by contrast, dropped to eight, a notable decline that Google analysts attribute either to stronger security hardening in that software category or to threat actors adopting more sophisticated evasion methods.
By vendor, Microsoft was the most targeted, with 25 zero-days exploited against its products. Google followed at 11, Apple at 8, Cisco and Fortinet at 4 each, and Ivanti and VMware at 3 each.
More Read
Commercial Spyware Vendors Overtake Nation-States
For the first time in GTIG’s tracking history, commercial surveillance vendors surpassed state-sponsored groups as the largest exploiters of zero-day flaws. The report describes this as the continuation of a multi-year shift: “a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape.”
Among state actors, China-linked espionage groups remained the most active, responsible for 10 zero-days in 2025. Their operations focused on edge devices, security appliances, and networking gear, consistent with objectives of establishing long-term persistent access rather than opportunistic compromise.
Financially motivated actors, primarily ransomware and data extortion groups, accounted for nine of the exploited flaws, reflecting a steady expansion of zero-day use beyond the traditionally well-resourced nation-state sphere.
What Comes Next
GTIG expects zero-day exploitation to remain elevated in 2026, citing the growing use of AI tools to automate vulnerability discovery and accelerate exploit development. The report highlights the Brickstorm campaign as an example of attackers shifting focus from source code theft toward finding flaws in software products before they ship.
Google’s recommended defensive measures include reducing attack surface exposure, limiting privilege access, monitoring continuously for anomalous behavior, and maintaining fast patching and incident-response cycles.
Photo by Laine Cooper on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
