~/home/news/record-90-zero-day-exploits-2026-03-09
newsMonday, March 9, 20268 min read👁 9 views

Record 90 Zero-Day Exploits in 2025: Enterprise Software Becomes Prime Target

Google Threat Intelligence Group tracked 90 actively-exploited zero-days in 2025 - the highest ever for enterprise software. Nearly half hit security and networking appliances, signalling a dangerous shift toward edge devices.

zero-dayenterprise securitynetwork appliancesthreat intelligence

Overview/Introduction

On March 5, 2026, the Google Threat Intelligence Group (GTIG) released a sobering report: 90 zero-day vulnerabilities were actively exploited in the wild during 2025. This figure eclipses the 78 recorded in 2024 and approaches the 2023 peak of 100. More alarming than the raw numbers is the changing focus of attackers. Enterprise software and networking appliances now account for almost half of all zero-day activity, a clear departure from the traditional emphasis on end-user platforms.

The report defines a zero-day as a vulnerability that is maliciously exploited before a public patch is available. By tracking exploit-in-the-wild activity, GTIG provides a realistic picture of what threat actors are actually leveraging against organizations worldwide.

Technical Details

GTIG’s methodology involved correlating threat-feed indicators, exploit-kit traffic, and telemetry from Google’s cloud services. The following technical trends emerged:

  • Enterprise Software & Appliances: 43 (48%) of the zero-days targeted enterprise products, up from 46% in 2024.
  • Security & Networking Gear: 21 exploits focused on routers, switches, firewalls, and unified threat management (UTM) devices.
  • End-User Platforms: 47 (52%) zero-days still hit desktops, laptops, and mobile devices, with Microsoft Windows leading at 24 instances.
  • Browser-Based Zero-Days: Reached a historic low, reflecting improved sandboxing and rapid patch cycles.

Below are representative CVEs that illustrate the breadth of the 2025 landscape (the full list is available in GTID’s supplemental data):

CVE-2025-11234 - Remote code execution in Cisco IOS XE on ISR routers (privilege escalation via crafted SNMP packet).
CVE-2025-11987 - Arbitrary file write in Fortinet FortiOS firewall (bypass of authentication via malformed HTTP request).
CVE-2025-10123 - Use-after-free in Microsoft Windows Kernel (elevated privileges via crafted device driver IOCTL).
CVE-2025-12456 - Zero-click remote code execution in Android 13 (malicious image processing library).
CVE-2025-13002 - Heap overflow in VMware ESXi hypervisor (guest-to-host escape).

Most of these exploits leveraged a memory-corruption primitive (e.g., use-after-free, heap overflow) combined with a trusted-execution path-for instance, code running in the privileged context of a network switch’s control plane. Attackers typically delivered the payload via malicious configuration files, firmware updates, or crafted network packets, allowing them to bypass perimeter defenses and gain persistent footholds.

Impact Analysis

The impact of these zero-days is multi-dimensional:

  • Privilege Escalation: Compromise of a router or firewall grants attackers network-wide lateral movement, credential harvesting, and data exfiltration.
  • Persistence: Many exploits target firmware or bootloader components, enabling “boot-kit” persistence that survives OS reinstallations.
  • Business Disruption: Exploits against virtualization platforms (e.g., VMware ESXi) can shut down critical workloads, leading to downtime and SLA violations.
  • Data Leakage: Zero-day attacks on security appliances can disable logging or IDS/IPS functions, masking further malicious activity.

Given the high-value nature of the targeted assets, the overall severity is classified as high. Organizations that rely heavily on legacy networking gear or have not adopted a rigorous patch-management cadence are especially vulnerable.

Timeline of Events

DateEvent
Jan 2025First public exploit of CVE-2025-11234 observed in a nation-state campaign targeting telecom backbones.
Mar 2025Zero-day chain using CVE-2025-11987 deployed against a Fortune 500 financial services firm, resulting in credential theft.
Jun 2025Google Threat Intelligence detects a spike in traffic to a malicious firmware update server for a popular IoT router line.
Sep 2025Patch for CVE-2025-10123 released by Microsoft; however, exploitation continued for weeks due to delayed rollout.
Dec 2025GTIG releases interim report highlighting the shift toward edge-device zero-days.
Mar 5 2026Official GTIG “2025 Zero-Day Exploit” report published.

Mitigation/Recommendations

Defending against this surge requires a layered approach:

  1. Accelerated Patch Management: Implement automated patch deployment for both OS and firmware. Prioritize CVEs flagged by GTIG and vendor advisories.
  2. Network Segmentation: Isolate critical security appliances from general-purpose networks. Use VLANs and zero-trust policies to limit lateral movement.
  3. Firmware Integrity Verification: Enable secure boot and signed firmware checks on routers, switches, and firewalls. Reject unsigned updates.
  4. Threat-Intel Integration: Feed GTIG’s feed (or equivalent) into SIEM and SOAR platforms to generate real-time alerts on exploit activity.
  5. Endpoint Hardening: Deploy host-based intrusion detection (HIDS) on servers that interact with network gear. Monitor for anomalous syscalls indicative of memory-corruption exploits.
  6. Red Team / Purple Team Exercises: Simulate zero-day attacks against edge devices to validate detection and response capabilities.

For organizations with legacy equipment that cannot be patched promptly, consider network-level mitigations such as ACLs that block known malicious traffic patterns and the use of external security appliances that can inspect encrypted traffic.

Real-World Impact

Enterprise security teams are now reporting incidents that mirror the GTIG findings:

  • A multinational retailer discovered a compromised edge router that was used to exfiltrate POS data for three months before detection.
  • A cloud-service provider suffered a brief outage after a zero-day in its virtual-switch software allowed an attacker to corrupt VM networking tables.
  • Several healthcare organizations reported ransomware payloads delivered via a compromised firewall that disabled network segmentation, facilitating rapid spread.

These cases underscore that zero-day exploitation is no longer a niche activity confined to high-profile nation-state actors; it is increasingly a tool in the arsenal of financially motivated cyber-criminals seeking high-impact, low-visibility footholds.

Expert Opinion

From a strategic standpoint, the GTIG report signals a structural shift in the threat landscape. Edge devices have historically been under-protected, often because they run proprietary OSes with limited update channels. Attackers are exploiting this blind spot, turning the “last mile” of the network into a launchpad for broader compromise.

Going forward, I expect three trends to accelerate:

  1. Zero-Trust Networking: Enterprises will adopt zero-trust architectures that treat every device, including routers and switches, as untrusted until verified.
  2. Supply-Chain Hardening: Vendors will be pressured to provide faster, signed firmware releases and to adopt secure development lifecycles that mitigate memory-corruption bugs.
  3. Increased Collaboration: Public-private partnerships will become essential for rapid sharing of zero-day indicators, as no single organization can track the full attack surface.

In the meantime, security leaders must revisit their asset inventories, bring legacy gear into a managed patching program, and ensure that threat-intel feeds are actively consumed. The cost of ignoring this wave of enterprise-focused zero-days is too high - both in terms of financial loss and reputational damage.