Organizations hit by 90 zero-day vulnerabilities last year

Google said it has tracked 90 zero-day vulnerabilities exploited in the wild in 2025 – a dozen more than in 2024, but lower than 2023's record high of 100.

Of these, 47 targeted end-user platforms and 43 enterprise products, the latter showing an all-time high. Abuse of operating systems was also on the rise, although browser-based exploitation fell to a historical low.

"State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks, with just over half of attributed zero-day exploitation by these groups focused on these technologies," the Google Threat Intelligence (GTG) researchers said.

"Commercial surveillance vendors (CSVs) maintained an interest in mobile and browser exploitation, adapting and expanding their exploit chains to bypass more recently implemented security boundaries and other mobile security improvements."

For the first time, in fact, more zero-days were attributed to CSVs than to traditional state-sponsored cyber espionage groups.

Multiple intrusions linked to Brickstorm malware deployment had a range of different objectives, while technology companies were targeted with the aim of stealing valuable IP and furthering the development of zero-day exploits.

Meanwhile, said the team, mobile zero-day discovery have bounced about in recent years, dropping from 17 in 2023 to nine in 2024, before rebounding to 15 in 2025.

China-linked cyber espionage groups were again the most prolific users of zero-day vulnerabilities in 2025, with groups such as UNC5221 and UNC3886 continuing to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets.

And zero-day exploitation by financially motivated threat groups remained much the same, with nine detected.

"Enterprise software and edge devices keep showing up as the highest leverage targets because they sit at key crossroads where access, connections, and control come together. Attackers keep leaning into these surfaces because one successful exploit can deliver initial access, lateral movement, and durable control across a wide set of systems," said Nick Tausek, lead security automation architect at Swimlane.

"Edge devices are especially attractive because they typically provide only partial breadcrumbs like login events, configuration changes, or basic traffic summaries rather than a clear view of what's happening inside the device, leaving gaps in detection and masking the true scale of exploitation."

Michael Jepson, penetration testing manager at CybaVerse, said the continued rise in exploited zero-days highlights a broader issue around how software is built and maintained.

Security, he said, needs to be embedded much earlier in the development lifecycle, with vendors prioritising secure-by-design principles, rigorous code review, and continuous security testing as part of standard engineering practices.

"While vulnerability discovery and disclosure are a normal part of the ecosystem, organisations should not be learning about critical flaws in widely deployed products only after attackers have already begun exploiting them," he said.

Stronger development standards, clearer vendor accountability, and potentially regulatory pressure in some sectors may be necessary to drive improvements in software security."