Google Threat Intelligence Group analyzed 90 zero-day vulnerabilities actively exploited in the wild during 2025. While this number is lower than the record 100 seen in 2023, it exceeds 2024's count of 78 and remains within the 60–100 range observed over the past four years, signaling a stabilization. Notably, enterprise exploitation reached an all-time high, with 43 such vulnerabilities (48% of the total) targeting enterprise-grade technologies. This shift reflects a sustained trend toward leveraging complex, interconnected systems for initial access and lateral movement. Below, we break down the key takeaways from the year's zero-day activity.

How many zero-day vulnerabilities were exploited in 2025, and how does that compare to previous years?

In 2025, Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild. This figure is lower than the record high of 100 observed in 2023, but it marks an increase from 78 in 2024. Over the past four years, the annual count has stabilized within the 60–100 range, indicating that zero-day exploitation is not declining but rather plateauing. This consistency suggests that threat actors continue to invest in discovering and weaponizing new vulnerabilities, even as defenders improve detection and patching. The 2025 data also highlights a structural shift: enterprise technologies now account for 48% of all exploited zero-days, up from lower proportions in previous years. This trend underscores the growing focus on high-value targets such as security appliances, networking gear, and enterprise software that provide broad access to sensitive data and systems.

What shift occurred in enterprise exploitation in 2025?

Enterprise exploitation reached unprecedented levels in 2025, both in raw numbers and proportion. A total of 43 zero-day vulnerabilities—48% of all in-the-wild exploits—targeted enterprise-grade technologies. This marks an all-time high, reflecting a strategic pivot by attackers toward high-value, interconnected platforms. Key targets included security and networking appliances, which are often trusted edge devices that can serve as entry points into entire networks. The increase in enterprise exploitation aligns with a broader trend: browser-based exploitation dropped to historic lows, while operating system vulnerabilities saw increased abuse. For defenders, this means focusing security efforts on hardening edge infrastructure, monitoring enterprise software for flaws, and prioritizing patches for devices that bridge internal and external networks.

Which types of technology are state-sponsored groups targeting for initial access?

State-sponsored espionage groups continue to prioritize edge devices and security appliances as primary entry points into victim networks. In 2025, just over half of all zero-day exploitation attributed to these groups targeted such technologies. Networking and security appliances—including firewalls, VPN concentrators, and gateways—are attractive because they often sit at the network perimeter, have privileged access, and may run complex, less-visible software. By compromising these devices, attackers can gain persistent initial access, pivot laterally, and evade detection. This focus aligns with the broader enterprise exploitation trend, where 48% of zero-days hit enterprise technologies. Examples include exploitation of vulnerabilities in widely used appliances from vendors like Cisco, Palo Alto Networks, and Fortinet. Defenders should treat these devices as high-risk and ensure they receive timely patches and configuration reviews.

How are commercial surveillance vendors adapting their exploit techniques?

Commercial surveillance vendors (CSVs) maintained a strong interest in mobile and browser exploitation throughout 2025. To bypass increasingly robust mobile security measures—such as improved sandboxing and memory protections—CSVs have expanded their exploit chains, often chaining multiple vulnerabilities to achieve the necessary access. In some cases, they have also succeeded with fewer or single bugs by targeting lower-level components like specific applications or services. This adaptation reflects the cat-and-mouse dynamic between vendors and attackers. For example, CSVs have abused iOS and Android components, leveraging privilege escalation exploits alongside kernel or browser vulnerabilities. The result is a continued arms race where each platform security update forces attackers to innovate, often making exploit chains more complex or shifting tactics entirely.

What role does BRICKSTORM malware play in zero-day exploitation?

Multiple intrusion campaigns linked to BRICKSTORM malware deployment were observed in 2025, showcasing a range of objectives. Notably, BRICKSTORM targeted technology companies, aiming to steal valuable intellectual property—especially data related to zero-day exploit development. This suggests that some threat actors view exploit development itself as a competitive domain, seeking to reverse-engineer or steal tools from security researchers and other vendors. BRICKSTORM intrusions often leveraged zero-day vulnerabilities for initial access, then deployed custom malware to exfiltrate code, blueprints, or vulnerability details. The targeting of tech firms highlights a concerning feedback loop: as defenders create new mitigations, attackers invest in stealing those innovations to improve their own capabilities.

Why did mobile zero-day counts fluctuate, and what does that indicate about exploitation complexity?

Mobile zero-day discovery counts fluctuated over the last three years: from 17 in 2023 to 9 in 2024, then rebounding to 15 in 2025. This variability reflects the evolving security landscape. As mobile operating system vendors (e.g., Apple, Google) implement stronger mitigations—like hardened sandboxes, memory tagging, and tighter app isolation—attackers are forced to adjust their techniques. Sometimes they chain more vulnerabilities to break through multiple security layers; other times, they exploit fewer or even single bugs by targeting less-protected components, such as a specific app or service. The net effect is that while raw counts fluctuate, the effort required for successful mobile exploitation often increases. This explains why some years see fewer but more sophisticated exploits, while others see a resurgence in simpler attacks when a new gap emerges.

What are the key implications for security teams based on 2025 trends?

Security teams should draw several lessons from the 2025 zero-day landscape. First, enterprise and edge devices remain prime targets—nearly half of all zero-days hit enterprise technology. Prioritize patching for firewalls, VPNs, and security appliances, and monitor for unusual network traffic from these devices. Second, state-sponsored groups are heavily investing in initial access via edge gear, so treat these as critical assets. Third, mobile devices continue to be targeted by commercial surveillance vendors; keep mobile OS and app updates current. Fourth, the BRICKSTORM example shows that even security-focused companies can be attacked for their intellectual property—implement robust access controls and data loss prevention. Finally, the stabilization of zero-day counts around 60–100 per year means staying vigilant is mandatory: invest in threat intelligence, vulnerability management, and incident response capabilities.