IT admins everywhere just got handed another migraine.
That’s the upshot from Google’s Threat Intelligence Group’s 2025 zero-day vulnerabilities review: 90 flaws exploited in the wild, stabilizing after 2023’s frenzy but still hammering enterprise tech harder than ever.
Your average employee? Safer surfing Chrome, sure—browser exploits cratered to lows. But log into the corporate VPN from home? That’s where state hackers are lurking, prowling edge devices like never before.
And here’s the raw data dump: 43 of those 90 zero-days—48%—slammed enterprise gear. All-time high. Up from past years’ 60-100 range that’s now the grim plateau we’re stuck on.
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
Stabilization. Cute word for ‘endemic plague.’
Why Enterprises Suddenly the Zero-Day Darling?
Look, browsers got bunkered up—vendors like Google poured concrete around sandboxing, killing easy RCE chains. Result? Mobile zero-days bounced back to 15 from 9, as attackers chain more bugs or drop to simpler hits on apps. Fine.
But enterprises? Sitting ducks. Networking boxes, firewalls, the ‘trusted’ perimeter junk that’s first in the kill chain. State-sponsored crews—especially PRC nexus like UNC5221—piled on, with over half their zero-days punching those edges. Why? One pop grants network foothold, data siphon, persistence. Your org’s SaaS sprawl? Interconnected candy store for lateral moves.
Numbers don’t lie: 48% enterprise share dwarfs past peaks. Financial crooks chipped in 9 zero-days, matching 2023 highs proportionally. Everyone’s cashing in.
Here’s my take—the one Google’s report dances around: this mirrors the early 2010s exploit broker boom, when zero-days went from spy toys to dark web staples. Back then, iOS jailbreaks funded mansions; now CSVs are the new brokers, peddling chains to any dictator with a checkbook. Democratization? Nah, proliferation.
CSVs Outpacing Spies—Good or Gory?
Crunch the attributions. For the first time, commercial surveillance vendors snagged more zero-days than state espionage crews. They’re chasing mobiles, browsers still, tweaking chains past iOS lockdowns or Android fences.
For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups.
Smart adaptation. But risky for them—and us. These vendors lower the bar, handing exploits to mid-tier tyrants who couldn’t code a phishing page. PRC groups still king of state ops, hammering appliances for IP grabs (hello, BRICKSTORM malware hitting tech firms).
Financial actors? Tied at 9, chasing ransomware payloads or crypto heists. No one’s sleeping.
Shift’s structural: away from end-user browsers (down down down), toward OS guts and enterprise stacks. Attack surface bloats with IoT edges, SaaS bloat—single weak link dooms all.
But wait—complexity’s biting back. Mobile counts flux because simple bugs die fast under mitigations. Attackers chain five vulns or pivot to service-level pokes. Effort up, but payoffs huge in locked-down worlds.
2026 Forecast: AI Hype Meets Reality Check
Google peers ahead: adversaries expand targets, enterprise sprawl feeds the beast. Fair.
Then AI drops. They’ll automate attacks, scale fuzzing, mutate payloads. Dynamic threats, they say.
Skeptical snort. AI’s overhyped here—like every CEO’s ‘AI-first’ memo. Sure, it’ll fuzz faster, but zero-days thrive on novelty, not brute force. Defenders get same tools: AI-driven EDR, anomaly hunts. Race quickens, but doesn’t flip. My bold call? 2026 hits 95-105 zero-days, CSVs claim 30%, as vendor mitigations harden consumer tech but enterprises lag—legacy stacks gonna legacy-stack.
Edge devices? Still spy catnip. Patch ‘em yesterday.
Real people angle—your startup’s Ubiquiti router or Cisco firewall? Prime UNC5221 bait. CFOs: budget for zero-day insurance, not just clouds. Individuals: you’re collateral, but swap browsers? Nah, focus home networks.
Market dynamics scream buy defenders. CrowdStrike, Palo Alto—stock pops justified as enterprise zero-days spike. Attackers adapt, but vendors evolve too. Still, 48% enterprise burn rate? C-suites, wake up.
PR spin from Google? ‘Stabilization’ sounds comfy. It’s not. Four-year 60-100 rut means cyber’s mature market—supply steady, demand insatiable. Like oil.
Why Does This Matter for Enterprises?
Budget hawks, listen: edge appliances aren’t ‘set it and forget.’ They’re breach doors. 2025 proved it—networking/security gear topped lists.
Mitigate? Zero-trust everything, AI-monitored patches, segment like mad. But sprawl kills—every app’s a vector.
CSVs thriving? Means more customers, wilder targets. Not just dissidents; tech IP theft funds next chains. Vicious loop.
Financials at 10% share? Ransomware 2.0, zero-days as loaders.
One-paragraph plea: CISOs, audit edges now. Vendors, ship mitigations faster. Users, VPN your ass off.
🧬 Related Insights
- Read more: CanisterWorm: Cybercrooks Hijack Iran Tensions for Cloud Data Heists
- Read more: Axios NPM Hijack: When Social Engineering Goes Factory-Scale
Frequently Asked Questions
What were the top targets for 2025 zero-days?
Enterprises topped at 48%, especially security appliances and networking gear; browsers fell to lows.
How many zero-days hit in 2025 vs prior years?
90 total—down from 2023’s 100, up from 2024’s 78, steady in 60-100 trend.
Will AI make zero-days worse in 2026?
Likely accelerates automation, but defenses match; expect slight uptick to 95+.
