Key Findings

• Google's Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024

• Nearly half of the flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks

• Browser exploitation declined to historic lows, while operating system flaws were increasingly abused

• Nation-state actors mainly targeted edge devices and security appliances, while commercial surveillance vendors continued focusing on mobile and browser exploit chains

• Financially motivated groups also increased zero-day use, including ransomware operations

Background

Google's GTIG reports 90 zero-day vulnerabilities exploited in the wild in 2025, a slight decrease from the 100 observed in 2023, but an increase from 78 in 2024. Researchers noted a rising trend of attacks specifically targeting enterprise technologies and corporate infrastructure.

Enterprise-focused Attacks

Nearly half of the zero-day flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks. Security and networking companies such as Cisco, Fortinet, Ivanti, and VMware were frequent targets due to the strategic value of VPNs, virtualization, and edge infrastructure.

Shift in Exploitation Trends

Browser exploitation declined to historic lows, while operating system flaws were increasingly abused. Edge devices such as routers and security appliances remain prime targets because they typically lack EDR visibility, making intrusions harder to detect.

Threat Actors

Commercial surveillance vendors (CSVs) were the most active users of zero-day exploits in 2025, surpassing traditional state-sponsored espionage groups for the first time. China-linked cyber-espionage groups remained the most prolific among nation-state actors, often targeting edge and networking devices. Financially motivated groups also increased zero-day use, including ransomware operations.

Exploit Chains and AI Leverage

Researchers observed sophisticated exploit chains affecting browsers, mobile devices, and enterprise appliances. Google expects AI use to grow in 2026, and threat actors will leverage it to speed up vulnerability discovery and exploit development. Defenders can use AI to strengthen security operations by identifying unknown flaws early and mitigating them before they are weaponized.

Sources

• https://securityaffairs.com/188993/security/google-gtig-90-zero-day-flaws-exploited-in-2025-as-enterprise-targets-grow.html

• https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/

• https://x.com/securityaffairs/status/2029829063662096505