The Google Threat Intelligence Group has disclosed that 90 zero-day vulnerabilities were actively exploited in 2025, signaling significant ongoing cybersecurity challenges. Compared to the previous record of 100 in 2023, this year’s total shows a slight decline but marks an increase from 78 in 2024. This trend indicates the persistent threat posed by zero-day vulnerabilities.
Shifting Target Focus
In recent findings, attackers are increasingly turning their attention away from web browsers, focusing on enterprise infrastructures, mobile operating systems, and edge devices instead. This shift aims to gain broad network access and reflects evolving strategies to penetrate deeper into organizational systems.
Notably, Commercial Surveillance Vendors have surpassed traditional state-sponsored groups as the main contributors to zero-day exploitations. These vendors are crafting intricate exploit chains to breach modern mobile security systems, resulting in a resurgence of mobile-related zero-day discoveries, totaling 15 in 2025.
Enterprise Vulnerabilities
The analysis shows that enterprise technologies accounted for nearly half of all zero-day exploits. Network and security apparatuses are particularly susceptible due to their strategic network roles and insufficient endpoint detection measures. State-sponsored actors, especially those associated with entities like UNC3886 and UNC5221, have targeted these devices for prolonged surveillance operations.
A striking example of evolving threat vectors is the BRICKSTORM campaign, where attackers aimed to pilfer proprietary source code from tech firms, triggering a cycle that enhances future zero-day vulnerability discoveries.
Defense Strategies and Future Outlook
Financially motivated groups have also been active, exploiting nine zero-day vulnerabilities, indicating that advanced exploitation techniques are being adopted beyond espionage. The increasing use of AI to facilitate vulnerability identification and exploitation emphasizes the need for robust defense strategies.
Google stresses the importance of adopting layered defense mechanisms, including strict network segmentation and real-time asset inventory management, to prepare for potential breaches. Monitoring a Software Bill of Materials (SBoM) is recommended to swiftly pinpoint vulnerable components amid rapid zero-day emergence.
As threat actors pivot to more complex enterprise environments, security teams must enhance their focus on edge device monitoring, enforce stringent access controls, and ensure timely vulnerability remediation to counter these sophisticated threats.
