Google warns of surge in enterprise zero-day attacks
Google's Threat Intelligence Group recorded 90 zero-day vulnerabilities exploited in the wild during 2025, up from 78 in 2024. It said this reinforces a stabilised range of annual activity.
A zero-day is a flaw exploited before a vendor publicly releases a patch. Google noted its figures reflect what it has tracked and may change as past incidents come to light. All vulnerabilities in its 2025 dataset now have patches available.
The data points to a continuing shift in attacker focus towards corporate systems. Google identified 43 zero-days affecting enterprise software and appliances, or 48% of all tracked exploits-the highest proportion it has observed for enterprise technologies.
Browser exploitation continued to decline, with browser-related zero-days falling to less than 10% of the total. Operating system exploitation rose, with desktop and mobile systems accounting for 44% of tracked zero-days.
Enterprise targets
Security and networking appliances accounted for about half of the enterprise-related zero-days, with 21 vulnerabilities. Edge devices at the perimeter of corporate networks remained a frequent entry point for espionage groups and other threat actors.
Google flagged limited visibility on many edge devices as a recurring problem for defenders. Many routers, switches and security appliances do not run endpoint detection and response tools, making it harder to spot anomalies or collect evidence after a compromise. The group tracked 14 zero-days affecting edge devices in 2025, while warning the figure likely understates broader activity.
Attackers also targeted enterprise software and virtualisation platforms, which can provide privileged access across networks and data assets when combined with other intrusion tactics.
The vendor mix followed patterns seen in earlier years. Google said large technology firms saw the most exploitation in consumer products such as desktop operating systems, browsers and mobile systems, while security suppliers remained prominent targets. The report named Cisco and Fortinet as commonly targeted networking and security vendors, and said Ivanti and VMware continued to face exploitation tied to VPN and virtualisation deployments.
Mobile complexity
Mobile-related zero-days rose to 15 in 2025, up from nine in 2024 but below the 17 seen in 2023. Google linked the fluctuations to changes in how attackers build exploit chains and how researchers discover them.
Some exploit chains identified in 2025 combined three or more vulnerabilities, increasing the number of individual flaws counted for a single operation. In other cases, attackers achieved their goals with fewer bugs by seeking lower levels of access within an application or service.
The report also described attackers adapting to security boundaries introduced by platform vendors. It said commercial surveillance vendors expanded and adjusted exploit chains to bypass newer security improvements in mobile devices.
Who exploits
Google attributed more zero-day exploitation to commercial surveillance vendors than to traditional state-backed cyber-espionage groups for the first time since it began tracking. It characterised this as a broadening of access to zero-day exploitation, with more customers using tooling supplied by such vendors.
Among state-backed actors, China-linked espionage groups remained the most prolific users of zero-days. Google attributed at least 10 to groups it assesses as linked to China, including UNC5221 and UNC3886. These groups continued to focus heavily on security appliances and edge devices, which can be difficult for defenders to monitor.
Google also pointed to what it called mass exploitation patterns, saying multiple activity clusters exploited vulnerabilities closer to public disclosure. It argued this may indicate faster development and distribution of exploits across separate groups.
The report highlighted a contrast with the prior year for North Korea-linked activity. It did not attribute any zero-days to North Korean groups in 2025, after attributing five in 2024.
Financially motivated groups were linked to nine zero-days in 2025. That nearly matched the 10 attributed in 2023 and was almost double the five attributed in 2024. Two of the zero-days were exploited in operations that led to ransomware deployment.
Google described a large-scale extortion campaign in 2025 in which a threat actor claiming affiliation with the CL0P brand emailed executives alleging data theft from Oracle E-Business Suite environments. Its analysis indicated the campaign followed months of intrusion activity and the exploitation of CVE-2025-61882 and/or CVE-2025-61884 as zero-days against Oracle EBS customers.
AI outlook
Looking ahead, Google said attacker techniques and target sets are expanding as exploitation becomes harder in some categories, particularly browsers and mobile. It also forecast that AI will accelerate the contest between attackers and defenders by speeding up reconnaissance, vulnerability discovery and exploit development.
At the same time, it said defenders will use AI tools, including agentic approaches, within security operations. In a forward-looking assessment of vendor-side security improvements, it said:
"AI agents can proactively discover and help patch previously unknown security flaws, enabling vendors to neutralize vulnerabilities before exploitation."