Breaking: 2025 Zero-Day Exploit Trends
Google Threat Intelligence Group (GTIG) has tracked 90 zero-day vulnerabilities actively exploited in the wild during 2025—a number that, while lower than the record 100 seen in 2023, surpasses 2024's 78 and remains within the 60–100 range of recent years, signaling stabilization at elevated levels.
“The consistent volume of zero-days, coupled with a dramatic shift toward enterprise targets, demands urgent attention from security teams,” said Casey Charrier, a lead analyst at GTIG. “Attackers are increasingly focusing on enterprise technologies, which now account for nearly half of all zero-day exploits.”
Rise in Enterprise Exploitation
In 2025, both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs. This marks a structural shift first identified in 2024, where enterprise exploitation overtook consumer-focused attacks.
James Sadowski, another GTIG researcher, noted: “Enterprise software, security appliances, and networking devices are prime targets because they offer privileged access across networks and data assets. Attackers are exploiting these trusted entry points to maximize damage.”
Browser Exploitation Declines, OS Attacks Surge
Conversely, browser-based exploitation fell to historical lows, while operating system vulnerabilities saw increased abuse. This trend reflects attackers pivoting toward more direct and impactful vectors that bypass client-side mitigations.
State-Sponsored Espionage Focus on Edge Devices
State-sponsored espionage groups continue prioritizing edge devices and security appliances as entry points into victim networks. Just over half of attributed zero-day exploitation by these groups targeted such technologies.
“These actors are refining their techniques to compromise trusted infrastructure, often chaining multiple vulnerabilities to achieve deep access,” explained Zander Work, a threat intelligence analyst. “The theft of intellectual property, as seen in BRICKSTORM malware operations, highlights the stakes.”
Commercial Surveillance Vendors (CSVs) Adapt
Commercial surveillance vendors maintained interest in mobile and browser exploitation, adapting exploit chains to bypass new security boundaries. Though mobile zero-day discoveries fluctuated (15 in 2025, up from 9 in 2024, down from 17 in 2023), attackers are using more complex chains—or occasionally fewer bugs—to achieve their goals.
“CSVs are forced to evolve as vendor mitigations improve,” said Clement Lecigne, a security researcher. “They’re either chaining more vulnerabilities to reach protected components or focusing on lower-level access within a single application.”
Background
Zero-day vulnerabilities are software flaws unknown to the vendor, leaving no patch available when exploited. GTIG has tracked these exploits since 2020, observing a range of 60–100 per year.
The 2025 count of 90 continues a pattern of high activity, with enterprise targeting now the dominant trend. The decline in browser exploits and rise in OS-level attacks further underscore a strategic shift by threat actors.
What This Means
Organizations must prioritize patching enterprise software, edge devices, and security appliances. The record proportion of enterprise zero-days means attackers view these as the weakest link.
“Security teams should assume that edge devices will be targeted and implement segmentation, monitoring, and rapid update processes,” advised Benoît Sevens, a threat researcher. “The trend toward OS exploitation also demands hardening operating systems, especially in cloud and hybrid environments.”
Ultimately, the stabilization of zero-day volumes at high levels indicates that attackers continue to invest in finding and exploiting vulnerabilities. Proactive defense—combined with threat intelligence sharing—remains critical.