Google’s Threat Intelligence Group (GTIG) reported on Thursday that 90 zero-day vulnerabilities were exploited in the wild in 2025, and an increasing percentage were aimed at enterprises.
In comparison, the company tracked 78 zero-days in 2024 and 100 in the previous year.
In 2025, Microsoft accounted for 25 of the zero-days, followed by Google (11), Apple (8), and Cisco (4).
Operating systems (both mobile and desktop) were the most targeted, increasing from 40% of the total in 2024 to 44% in 2025.
Mobile device zero-days also increased, from 9 vulnerabilities in 2024 to 15 in 2025. However, in the case of mobile exploits, Google noted that in many cases three or more flaws were chained to achieve a single goal.
The number of browser zero-days continues to drop. While this can be an indicator of stronger browser security, it can also suggest that attacks are more sophisticated and harder to spot.
The exploitation of 42 of the 2025 zero-days has been attributed to a threat actor, with commercial surveillance vendors (CSV) taking the lead for the first time. These spyware makers exploited 15 of the vulnerabilities and three other flaws have been marked as ‘likely CSV’.
State-sponsored cyberespionage groups account for 12 of the zero-days and three additional vulnerabilities are also believed to be in this category. A significant percentage of these flaws has been linked to China.
“Consistent with the trend we have observed for nearly a decade, in comparison to other state sponsors, PRC-nexus groups remained the most prolific users of zero-day vulnerabilities in 2025. These groups, such as UNC5221 and UNC3886, continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets,” Google said in its report.
Enterprises increasingly targeted
Google highlighted that 43 of the zero-days, representing nearly half of the total, affected enterprise technologies, which is an all-time high.
Many attacks were aimed at networking and cybersecurity appliances with the goal of gaining initial access.
“Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets,” Google explained.
Google believes AI will be increasingly used in 2026. While threat actors will leverage AI to accelerate vulnerability discovery and exploit development, defenders can use it to enhance security operations, including proactively discovering unknown vulnerabilities and neutralizing them before they are weaponized.
Additional information and insights can be found in Google’s full report.
Related: Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks
Related: Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild
