Google: 90 Zero-Day Exploits Used in Attacks Last Year
▼ Summary
– Google tracked 90 exploited zero-day vulnerabilities in 2025, a 15% increase from 2024, with nearly half targeting enterprise software.
– The most exploited flaws were in operating systems, while browser exploits dropped sharply, possibly due to improved security.
– Commercial spyware vendors became the largest users of zero-days, surpassing state-sponsored groups for the first time.
– State-sponsored actors from China were the most active, and financially motivated groups also increased their use of zero-days.
– Google predicts high zero-day exploitation in 2026, aided by AI tools, and recommends reducing attack surfaces and rapid patching.
The landscape of digital threats saw a significant shift last year, with a notable rise in the exploitation of previously unknown software flaws. Google’s Threat Intelligence Group (GTIG) documented 90 zero-day vulnerabilities that were actively exploited throughout 2025, marking a concerning 15% increase from the previous year. Nearly half of these targeted enterprise software and critical appliances, highlighting a strategic pivot by attackers toward infrastructure that offers deep network access.
These vulnerabilities, known as zero-days, represent critical security holes that malicious actors discover and weaponize before software developers can issue a fix. Their high value stems from their ability to provide initial access to systems, enable remote code execution, or escalate user privileges. The GTIG report breaks down the targets: 47 zero-days affected end-user platforms, while 43 were aimed squarely at enterprise products. The nature of these flaws was varied, encompassing remote code execution, privilege escalation, and injection flaws. Notably, memory safety issues, such as use-after-free bugs, were responsible for over a third of all exploited zero-days.
Enterprise environments faced heightened risk, with security appliances, networking infrastructure, VPNs, and virtualization platforms becoming prime targets. These systems are attractive because they often provide privileged access across a network and may lack the robust endpoint detection and response (EDR) monitoring found on standard workstations. On the end-user side, operating systems bore the brunt of the attacks. Bugs in desktop operating systems led to 24 exploited zero-days, while mobile platforms accounted for 15.
An interesting development was the sharp decline in browser-based zero-day exploits, which dropped to only eight last year. Analysts suggest this could be a result of successful security hardening efforts by browser vendors. However, it might also indicate that threat actors are employing more sophisticated evasion techniques, making their activities harder to detect within these now-more-secure applications.
When examining the vendors most frequently targeted, Microsoft led the list with 25 exploited zero-days. Google followed with 11, Apple with eight, and companies like Cisco, Fortinet, Ivanti, and VMware also faced multiple incidents. Perhaps the most striking trend identified was the changing profile of the attackers themselves. For the first time, commercial spyware vendors surpassed state-sponsored espionage groups as the largest users of these undocumented flaws. This signals a slow but definitive shift in the threat landscape, where powerful surveillance tools are increasingly commoditized and sold to various clients.
Among nation-state actors, groups linked to China remained the most prolific, exploiting 10 zero-days primarily against edge devices and networking equipment to establish long-term persistence. Another growing concern was the activity of financially motivated criminals; ransomware and data extortion groups were responsible for exploiting nine zero-days, showing that these high-value flaws are not solely the domain of espionage.
Looking ahead, experts warn that the situation is unlikely to improve. The use of artificial intelligence is expected to automate parts of the vulnerability discovery process, potentially accelerating the development of new exploits. The report highlights campaigns like “Brickstorm,” which exemplify how hackers are moving beyond stealing source code to proactively hunting for flaws in upcoming software products.
To defend against these evolving threats, security teams are advised to adopt a multi-layered strategy. Key recommendations include minimizing attack surfaces, rigorously limiting privilege access, and implementing continuous monitoring for anomalous behavior. Maintaining rapid patching cycles and having a well-rehearsed incident response plan are also critical components for detecting and containing zero-day exploitation before it leads to a major breach.
(Source: Bleeping Computer)
