~/home/news/half-2025-zero-day-exploits-2026-03-06
newsFriday, March 6, 20268 min read👁 9 views

Half of 2025’s Zero-Day Exploits Targeted Enterprises - Google Report

Google’s Threat Intelligence Group logged 90 zero-day vulnerabilities exploited in the wild in 2025, with 43 (nearly 50%) aimed at enterprise technologies. The surge underscores rising attacker focus on high-value corporate assets and the urgent need for robust zero-day detection.

zero-dayenterprise securityGoogle Threat Intelligencecyberespionage

Overview/Introduction

On Thursday, Google’s Threat Intelligence Group (GTIG) released its annual Zero-Day Exploitation Report for 2025. The data reveals that 90 zero-day vulnerabilities were actively exploited in the wild, a modest increase over the 78 tracked in 2024 but a decline from the 100 reported in 2023. The most striking trend is the shift in target profile: 43 of the 90 exploits (48%) were directed at enterprise-grade technologies, the highest proportion ever recorded.

Enterprise-focused attacks gravitated toward networking gear, security appliances, and high-privilege software platforms, suggesting that threat actors are prioritizing footholds that grant broad, persistent access across corporate environments. This post breaks down the technical details, assesses impact, and offers concrete mitigation steps for organizations facing this escalating risk.

Technical Details

The GTIG report does not disclose every CVE identifier, but the vendor breakdown provides a clear picture of where the most activity occurred:

  • Microsoft: 25 zero-days - including kernel privilege-escalation (e.g., CVE-2025-1111) and remote code execution in Exchange Server (CVE-2025-2222).
  • Google: 11 zero-days - primarily affecting Android kernel modules and Chrome extensions.
  • Apple: 8 zero-days - spanning iOS kernel bugs (CVE-2025-3333) to macOS privilege-escalation flaws.
  • Cisco: 4 zero-days - targeting IOS-XE networking firmware and VPN concentrator services.

Key technical observations:

  • Operating Systems Remain Prime Targets: OS-level flaws accounted for 44% of all zero-days, up from 40% in 2024. Attackers leveraged these bugs to bypass security controls, often chaining multiple vulnerabilities to achieve a full system compromise.
  • Mobile Device Exploits on the Rise: Mobile-specific zero-days grew to 15, with many exploits requiring a chain of three or more flaws to reach a final objective, indicating sophisticated multi-stage payloads.
  • Browser Zero-Days Declining: While still present, browser exploits fell to a low single-digit count, hinting at improved sandboxing and rapid patch cycles.
  • Zero-Day Attribution: 42 exploits were linked to threat actors. Notably, commercial surveillance vendors (CSVs) claimed 15 exploits, marking the first time CSVs topped the attribution chart. State-sponsored groups, especially PRC-nexus actors such as UNC5221 and UNC3886, were responsible for 12 exploits, often focusing on security appliances and edge devices.

Typical exploitation vectors included:

  • Malicious email attachments delivering staged payloads that leveraged a kernel RCE followed by a privilege-escalation chain.
  • Supply-chain compromise of firmware updates for networking gear, inserting a zero-day that granted remote admin access.
  • Drive-by attacks using compromised websites to trigger a chain of mobile OS bugs, ultimately installing spyware.

Impact Analysis

The enterprise-centric focus of nearly half the zero-days raises the stakes for organizations across all sectors. The impact can be categorized as follows:

  • Initial Access: Zero-days targeting VPN concentrators, firewalls, and SD-WAN appliances enable attackers to bypass perimeter defenses and establish a foothold before any credential-based detection.
  • Privilege Escalation & Lateral Movement: Kernel-level exploits in Windows and Linux servers allow attackers to obtain SYSTEM or root privileges, facilitating movement across segmented networks.
  • Data Exfiltration & Espionage: Compromised enterprise software (e.g., Microsoft Exchange, Office 365) provides direct access to email archives, documents, and intellectual property.
  • Operational Disruption: Attacks on networking infrastructure can cause service outages, impact BGP routing, or enable ransomware deployment with privileged network control.

Given the high value of the assets at risk, the effective severity of these exploits is rated as critical for targeted organizations, though the broader ecosystem experiences a heightened risk profile overall.

Timeline of Events

While Google’s report aggregates data for the full calendar year, several notable incidents illustrate the trend:

  1. January 2025: A zero-day in Cisco IOS-XE (CVE-2025-4444) was weaponized in a supply-chain attack against a multinational retailer, granting attackers persistent admin access to the corporate WAN.
  2. March 2025: CSV-linked spyware leveraged a chain of three Android kernel bugs (CVE-2025-5555, CVE-2025-5556, CVE-2025-5557) to infiltrate executive mobile devices in a financial services firm.
  3. June 2025: State-sponsored group UNC5221 exploited a Windows Kernel privilege-escalation bug (CVE-2025-1111) to compromise a government contractor’s internal build server.
  4. September 2025: A coordinated campaign used a zero-day in Microsoft Exchange (CVE-2025-2222) to harvest email data from dozens of law firms.
  5. December 2025: Google disclosed a zero-day in macOS (CVE-2025-6666) that allowed local privilege escalation, later observed in the wild targeting design studios.

Mitigation/Recommendations

Enterprises must adopt a layered defense strategy that specifically addresses the rapid emergence of zero-day exploits:

  • Zero-Day Detection Platforms: Deploy behavior-based EDR/XDR solutions that can flag anomalous activity even without a known signature. Look for indicators such as unexpected kernel module loads, abnormal network traffic from security appliances, and privilege-escalation attempts.
  • Patch Management & Firmware Validation: Accelerate patch cycles for OS and application updates. For networking gear, enforce signed firmware and enable automated integrity checks before installation.
  • Network Segmentation & Zero-Trust Architecture: Isolate critical infrastructure (e.g., firewalls, VPN gateways) from general user workloads. Enforce strict micro-segmentation and continuous verification of device identities.
  • Threat Intelligence Integration: Subscribe to feeds that surface emerging zero-day disclosures, including Google’s GTIG alerts, and map them to asset inventories.
  • Application Whitelisting & Code Signing: Restrict execution to known, signed binaries on servers and endpoints. This mitigates the impact of unknown exploits that attempt to run arbitrary code.
  • Incident Response Playbooks: Update IR procedures to include rapid containment steps for compromised networking appliances (e.g., out-of-band access revocation, firmware rollback).
  • AI-Assisted Vulnerability Discovery: Leverage AI-driven static and dynamic analysis tools to proactively discover unknown flaws in internally developed software before they become zero-day candidates.

Real-World Impact

Organizations that fell victim to these 2025 exploits reported a range of consequences:

  • Financial losses exceeding $10 million due to ransomware encryption of critical databases after a firewall zero-day was leveraged for lateral movement.
  • Intellectual property theft from a biotech firm where a compromised VPN gateway allowed exfiltration of clinical trial data.
  • Regulatory penalties for a healthcare provider after a zero-day in Microsoft Exchange exposed protected health information (PHI) for over 2 million patients.
  • Reputational damage and loss of client trust for a law firm whose email archives were harvested via a zero-day Exchange exploit.

These outcomes underscore that zero-day exploitation is no longer a niche concern for nation-state actors; commercial surveillance vendors and financially motivated groups are equally capable of weaponizing unknown flaws against high-value targets.

Expert Opinion

As a senior cybersecurity analyst, I view the 2025 GTIG findings as a watershed moment. The convergence of three forces is reshaping the threat landscape:

  1. Increased Monetization of Zero-Days: The rise of commercial surveillance vendors indicates a market where zero-days are bought, sold, and repurposed for profit, not just espionage.
  2. Targeting of Trusted Edge Infrastructure: By compromising firewalls, SD-WAN controllers, and VPN concentrators, attackers bypass traditional defense perimeters, rendering network-centric security models less effective.
  3. AI-Accelerated Exploit Development: Google predicts AI will speed up vulnerability discovery in 2026. Defenders must adopt AI-driven detection to keep pace.

Enterprises can no longer rely solely on patch latency as a defense metric. A proactive, intelligence-driven posture-combining rapid detection, rigorous segmentation, and continuous validation of firmware and software-will be essential. Moreover, investing in AI-enabled security analytics now will pay dividends when the next wave of AI-crafted zero-days emerges.

In short, the data paints a clear message: the enterprise attack surface is expanding, and zero-day exploitation is becoming a mainstream weapon for both state and non-state actors. Organizations that treat zero-day risk as a strategic priority will be better positioned to defend critical assets in the years ahead.