Google GTIG: 90 Zero-Days Actively Exploited in 2025 — Enterprise Systems at Record Risk
Google's Threat Intelligence Group (GTIG) has published its annual zero-day exploitation review, tracking 90 zero-day vulnerabilities actively exploited throughout 2025. The report marks a record-setting year for enterprise technology targeting, with nearly half of all exploited flaws impacting business-critical systems — a structural shift that signals a deliberate pivot by sophisticated threat actors away from consumer software and toward high-value organizational infrastructure.
The findings, published on March 5, 2026, offer the most comprehensive public accounting of in-the-wild zero-day exploitation and carry significant implications for defenders securing enterprise networks.
Report at a Glance
| Metric | 2025 Value |
|---|---|
| Total zero-days exploited | 90 |
| Enterprise tech zero-days | 43 (48%) — all-time high |
| OS zero-days (desktop) | 24 |
| Mobile platform zero-days | 15 |
| Browser zero-days | 8 (sharp decline) |
| Top targeted vendor | Microsoft (25 zero-days) |
| CVs attributed to spyware vendors | 15 (leading category) |
| China-linked espionage zero-days | 10 |
| Report publisher | Google Threat Intelligence Group (GTIG) |
Enterprise Technology: The New Primary Target
A Structural Shift in Exploitation Patterns
The 2025 data confirms what defenders have observed anecdotally: threat actors are systematically redirecting zero-day exploitation toward enterprise infrastructure. In 2025, 43 of the 90 exploited zero-days — nearly half — targeted enterprise technologies, setting an all-time high for both the raw count and the proportion of total exploitation.
The most targeted enterprise categories were:
- Security appliances — firewalls, VPN gateways, and endpoint security platforms that sit at the network perimeter
- Networking infrastructure — routers, switches, and network management platforms
- Virtualization platforms — hypervisors and virtual infrastructure management consoles
- Enterprise productivity and collaboration tools
These targets share a common profile: they provide privileged network access, often lack modern EDR (Endpoint Detection and Response) monitoring, and are difficult to patch quickly due to operational constraints.
Why Enterprise Tech Is More Attractive
Consumer-facing software like web browsers historically dominated zero-day exploitation, but the economics have shifted. A single zero-day in an enterprise VPN or firewall can provide:
- Immediate network-level access to an entire organization
- Persistence without touching endpoints that carry EDR
- Lateral movement opportunities across segmented environments
- Exfiltration pathways through trusted infrastructure
Browser exploitation, by contrast, requires additional privilege escalation steps and is increasingly mitigated by sandbox technologies, ASLR, and browser hardening.
Vendor Breakdown: Microsoft Leads by a Wide Margin
| Vendor | Zero-Days (2025) |
|---|---|
| Microsoft | 25 |
| 11 | |
| Apple | 8 |
| Cisco | 4 |
| Fortinet | 4 |
| Ivanti | 3 |
| VMware | 3 |
| Other vendors | Remaining |
Microsoft's 25 exploited zero-days reflects both the company's enormous install base and the sophistication of adversaries targeting its ecosystem — from Windows OS to Exchange, Office, and Azure-connected services. Ivanti and Fortinet continue to appear prominently despite vendor remediation efforts, underscoring ongoing challenges in securing widely deployed remote-access infrastructure.
Attribution: Spyware Vendors Take the Lead for the First Time
Commercial Surveillance Vendors Surpass Nation-States
A landmark finding in the 2025 report: commercial surveillance vendors (CSVs) were attributed with the highest number of zero-day exploits for the first time, accounting for 15 confirmed exploits with three additional cases assessed as "likely CSV." This surpasses the combined count for state-sponsored espionage groups.
CSVs — companies that develop and sell offensive cyber tools to government clients — have historically operated in a legal gray area. Their products, marketed as lawful intercept solutions, are increasingly weaponized against journalists, dissidents, lawyers, and political opponents.
China-Linked Groups Lead State-Sponsored Exploitation
Among nation-state actors, China-linked espionage groups remain the most active, exploiting 10 zero-days in 2025. Three additional vulnerabilities were assessed as "likely China-linked." Chinese APT clusters have demonstrated a consistent focus on:
- Telecommunications infrastructure
- Defense industrial base networks
- Government and diplomatic targets
- Critical manufacturing and logistics systems
Overall, state-sponsored groups accounted for 12 confirmed zero-days plus three additional "likely" attributions.
Browser Zero-Days: A Notable Decline
Browser zero-days dropped to 8 in 2025, representing one of the sharpest single-year declines in recent memory. GTIG attributes this to:
- Improved browser sandbox hardening reducing the exploitability of renderer bugs
- Process isolation improvements in Chrome and Safari requiring chain exploits
- Rapid patching cycles limiting the operational window for browser 0-days
- Adversary preference shifting toward enterprise targets that offer greater access with less detection risk
Despite the decline in number, browser zero-days remain high-value targets and exploitation chains incorporating browser bugs continue to appear in sophisticated campaigns.
AI and the Future of Zero-Day Exploitation
GTIG's forward-looking assessment is sobering: AI tools are expected to accelerate both vulnerability discovery and exploit development. The group forecasts that exploitation of zero-day flaws in 2026 will remain high — and potentially increase — as:
- AI-assisted fuzzing lowers the barrier to finding novel vulnerabilities
- LLM-based code analysis tools reduce the time from patch release to working exploit
- Nation-state and CSV actors invest in AI-augmented offensive research capabilities
Impact Assessment
| Impact Area | Description |
|---|---|
| Enterprise defenders | Security appliances and VPN gateways are high-priority targets requiring aggressive patch cycles |
| Vendor accountability | Microsoft, Ivanti, and Fortinet face continued scrutiny over zero-day frequency |
| Spyware ecosystem | CSV-driven exploitation now exceeds state-sponsored levels — regulatory pressure is expected to increase |
| Mobile security | 15 mobile OS zero-days confirms smartphones remain high-value espionage targets |
| Browser security | Continued hardening investment is paying off; browser 0-days show meaningful decline |
Recommendations
For Security Teams
- Prioritize enterprise perimeter devices — VPNs, firewalls, and security appliances were the most targeted categories; apply patches within 24-48 hours of vendor disclosure and enable automatic update mechanisms where available
- Deploy EDR on all endpoints including network appliances — many exploited enterprise devices lack behavioral monitoring; where native EDR is not available, implement network-based behavioral detection
- Monitor vendor advisories for Cisco, Fortinet, and Ivanti — these vendors have consistently appeared in zero-day reports; subscribe to vendor security advisories and maintain patch cadence SLAs
- Assume browser zero-days are underreported — even with declining numbers, browser exploitation remains viable; enforce browser update policies and consider enterprise browser management tools
- Prepare for AI-accelerated exploitation timelines — the window between patch release and functional exploit is shrinking; treat every critical CVE as potentially weaponized within days, not weeks
For CISOs and Risk Teams
- Incorporate CSV threat modeling — commercial spyware vendors now represent the leading category of zero-day exploitation; organizations employing journalists, lawyers, activists, or government personnel should evaluate mobile device security posture
- Track China-linked APT activity aligned to your sector — with 10 zero-days attributed to Chinese espionage groups, sector-specific threat intelligence is essential for prioritization
- Review virtualization platform patching — VMware and similar platforms appeared in the enterprise target list; virtualization infrastructure is high-impact and often under-patched
Key Takeaways
- 90 zero-days were exploited in 2025 — enterprise technologies account for a record 48% of all exploited flaws, signaling a deliberate strategic shift by adversaries
- Commercial spyware vendors led zero-day exploitation for the first time, surpassing nation-state actors with 15+ confirmed cases
- Microsoft topped the vendor list with 25 zero-days — followed by Google (11), Apple (8), Cisco and Fortinet (4 each)
- China-linked groups remain the most active state-sponsored exploiters with 10 attributed zero-days in 2025
- Browser zero-days declined sharply to 8 — ongoing sandbox hardening and rapid patching are producing measurable defensive results
- AI is expected to sustain or increase zero-day exploitation rates in 2026 — faster vulnerability discovery and exploit development timelines demand faster patch response
Sources
- Google says 90 zero-days were exploited in attacks last year — BleepingComputer
- Google: Half of 2025's 90 Exploited Zero-Days Aimed at Enterprises — SecurityWeek
- Look What You Made Us Patch: 2025 Zero-Days in Review — Google Cloud Blog
- Google: Spyware vendors, China-linked spies led 0-day abuse — The Register
- Google Uncovers 90 Zero-Day Vulnerabilities Under Active Exploitation in 2025 — GBHackers
- Google: 90 zero-days exploited in the wild in 2025, most by spyware — CyberInsider