Google’s Threat Intelligence Group has dropped a bombshell in its latest 2025 Zero-Day Review: nearly half (48%) of all zero-day exploits hit enterprise environments—a record high that signals a dangerous pivot by attackers toward corporate networks and security tools.
Surveillance Vendors Overtake Nation-States
For the first time ever, commercial surveillance vendors outpaced traditional state-sponsored hacking groups in zero-day usage, exploiting more vulnerabilities than espionage operations backed by governments like China. Google attributes this shift to the “democratization” of elite hacking tools, now sold to a broader range of government clients seeking undetectable access.
The report tracked 90 zero-days exploited in the wild last year—up from 78 in 2024 but below 2023’s peak of 100—showing threats remain stubbornly elevated.
Why Enterprises Are the New Bullseye
Attackers are laser-focused on business-grade tech:
- Edge devices (routers, firewalls, VPNs) lack endpoint detection and response (EDR), making them stealthy entry points.
- Security appliances from Cisco, Fortinet, Ivanti and VMware are prime targets for remote code execution and privilege escalation.
- Networking gear enables long-term persistence without tripping user-facing alerts.
Nearly half of 2025’s zero-days struck these systems, exploiting injection flaws, memory corruption and weak access controls.
Declining Browser Attacks, Rising OS and Mobile Threats
Traditional consumer targets are hardening:
- Browsers fell below 10% of exploits, thanks to better mitigations.
- Operating systems led with 39 flaws; mobile OS jumped to 15 cases.
But attackers adapted: some chained multiple bugs for deeper access, others used single zero-days against lower-privilege components.
AI Will Supercharge the Zero-Day Arms Race in 2026
Google warns artificial intelligence will turbocharge threats:
- Attackers will automate reconnaissance, vulnerability discovery and exploit coding.
- Defenders must counter with AI-driven detection to stay ahead.
“AI will accelerate the current race between attackers and defenders,” the report states, putting pressure on security teams to evolve faster.
Key Attackers and Trends
| Actor Type | Zero-Days (2025) | Primary Targets |
|---|---|---|
| Commercial Surveillance | Most attributed | Mobile, browsers |
| China-linked Espionage | 10+ | Edge devices, networks |
| Financial/Ransomware | Growing | Enterprise for data extortion |
What Enterprises Must Do Now
- Patch edge devices religiously—they’re the weakest link.
- Deploy EDR on appliances to close visibility gaps.
- Assume zero-days target your supply chain; segment networks aggressively.
- Leverage AI defensively for anomaly detection in high-value systems.
This report isn’t just data—it’s a wake-up call. As zero-days proliferate beyond elite nation-states, every enterprise is in the crosshairs. The question isn’t if you’ll be hit, but how quickly you detect and respond.
