Photo by BleepingComputer on BleepingComputer
What happened
Google Threat Intelligence Group (GTIG) says it observed 90 zero-day vulnerabilities exploited in the wild during 2025.
That is:
- Up from 78 in 2024
- Below the 100 recorded in 2023
Key findings
Target split shifted toward enterprise
GTIG’s 2025 dataset shows a near-even split:
- 47 zero-days targeting end-user platforms
- 43 targeting enterprise products
Enterprise-targeted exploitation focused on high-value infrastructure, including:
- Security appliances
- Network edge gear and VPNs
- Virtualization platforms
Exploit types and vendor pressure points
Commonly exploited bug classes included:
- Remote code execution
- Privilege escalation
- Authorization bypass
- Injection and deserialization flaws
- Memory corruption bugs
Google also reported memory-safety issues made up a large share of exploited flaws, while browser zero-days declined versus prior years.
Why this matters
- Enterprise edge systems are increasingly prime initial-access targets.
- Commercial spyware vendors are now a major driver of high-end exploit activity.
- Defenders should expect continued pressure in 2026, especially where patching and visibility lag.
What defenders should do now
- Reduce exposed attack surface on externally reachable enterprise systems.
- Patch aggressively for edge/network/security products, not just endpoints.
- Harden privileged paths (admin interfaces, API access, management planes).
- Improve detection coverage on infrastructure that traditionally lacks strong EDR telemetry.
Bottom line
The 2025 zero-day picture reinforces that attackers are investing where access is most valuable: enterprise control points and edge infrastructure. Organizations should treat external-facing and management-plane systems as top-tier patch and monitoring priorities.