Google GTIG: 90 zero-day flaws exploited in 2025 as enterprise targets grow

Google’s GTIG reports 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024, with a growing share targeting enterprise systems.

Google’s Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025. While slightly below the 100 observed in 2023, the number increased from 78 in 2024, with researchers noting a rising trend of attacks specifically targeting enterprise technologies and corporate infrastructure.

Nearly half of the flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks. Browser exploitation declined to historic lows, while operating system flaws were increasingly abused. Nation-state actors mainly targeted edge devices and security appliances, while commercial surveillance vendors continued focusing on mobile and browser exploit chains.

“As vendor mitigations evolve and increasingly prevent more simplistic exploitation, threat actors have been forced to expand or adjust their techniques. In some cases, attackers have increased the number of chained vulnerabilities to reach desired levels of access within highly protected components.” reads the report published by Google. “Conversely, threat actors have also managed successful exploitation with fewer or singular bugs by targeting lower levels of access within a single capability, such as an application or service.”

Edge devices such as routers and security appliances remain prime targets because they typically lack EDR visibility, making intrusions harder to detect. Another 47 zero-days (52%) targeted end-user platforms. Operating systems were the most exploited category with 39 flaws, continuing an upward trend, while mobile OS exploits rose to 15 cases. Browsers accounted for less than 10% of zero-day activity, suggesting improved security hardening, though better attacker operational security may also be reducing visible exploitation.

In 2025, most exploited zero-days targeted major tech vendors due to their massive user bases across operating systems, browsers, and mobile platforms. Security and networking companies such as Cisco, Fortinet, Ivanti, and VMware were also frequent targets because of the strategic value of VPNs, virtualization, and edge infrastructure. Many attacks aimed at remote code execution or privilege escalation, often exploiting injection flaws, memory corruption, or weak access controls.

Commercial surveillance vendors (CSVs) were the most active users of zero-day exploits in 2025, surpassing traditional state-sponsored espionage groups for the first time. Firms such as Intellexa continued selling advanced spyware to government clients. However, China-linked cyber-espionage groups remained the most prolific among nation-state actors, often targeting edge and networking devices to maintain long-term access. Financially motivated groups also increased zero-day use, including ransomware operations linked to FIN11 and the Clop ransomware group. Researchers also observed sophisticated exploit chains affecting browsers, mobile devices, and enterprise appliances, including attacks on SonicWall systems that combined authentication bypass, remote code execution, and privilege escalation vulnerabilities.

Google expects AI use to grow in 2026, and threat actors will leverage it to speed up vulnerability discovery and exploit development. Defenders can use AI to strengthen security operations by identifying unknown flaws early and mitigating them before they are weaponized.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)