Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances.

The figure is a 15% increase compared to 2024, when 78 zero-days were exploited in the wild, but lower than the record 100 zero days tracked in 2023.

Zero-day vulnerabilities are security issues in software products that attackers exploit, usually before the vendor learns about them and develops a patch. They are highly valued by threat actors because they often enable initial access, remote code execution, or privilege escalation.

A report from GTIG today notes that of the 90 zero-days tracked as exploited in 2025, 47 of them targeted end-user platforms, and 43 targeted enterprise products.

The type of exploited flaws includes remote code execution, privilege escalation, injection and deserialization flaws, authorization bypasses, and memory corruption (use-after-free) bugs. Google reports that memory safety issues accounted for 35% of all exploited zero-day vulnerabilities last year.

The most targeted enterprise systems were security appliances, networking infrastructure, VPNs, and virtualization platforms, as these provide privileged network access and often lack EDR monitoring.

GTIG reports that bugs in operating systems were the most exploited category last year, with attacks leveraging 24 zero-day vulnerabilities in desktop OSs and 15 in mobile platforms.

Zero-day exploits in web browsers dropped to eight, a sharp decline compared to previous years.

Google’s analysts speculate this might be due to increased security hardening in this software category, though it may also be a case of threat actors using more advanced evasion tactics and being better at hiding malicious activity.

According to GTIG researchers, Microsoft was the top vendor targeted with zero days last year (25), followed by Google with 11, Apple with eight, and Cisco and Fortinet with four each, and Ivanti and VMware with three each.

For the first time since Google started tracking zero-day exploitation, commercial spyware vendors were the largest users of undocumented flaws, surpassing state-sponsored espionage groups, which may also be deploying more effective hiding techniques.

“This continues to reflect a trend we began to observe over the last several years–a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape,” reads the GTIG report.

Google researchers say that among state-sponsored actors, China-linked espionage groups remain the most active, with 10 zero-days exploited in 2025. The attacks targeted primarily edge devices, security appliances, and networking equipment for long-term persistent access.

Another notable trend observed last year was the increase in zero-day exploitation by financially motivated actors (ransomware, data extortion), who accounted for nine of the flaws.

GTIG believes that the use of AI tools will help automate vulnerability discovery and accelerate exploit development, so exploitation of zero-day flaws in 2026 is expected to remain high.

The Brickstorm campaign is highlighted in the report as an example of how hackers are shifting their focus from source code theft to discovering flaws in future software products.

To detect and contain zero-day exploitation, Google recommends reducing attack surfaces and privilege exposure, continuously monitoring systems for anomalous behavior, and maintaining rapid patching and incident-response processes.