Google report: More zero-day vulnerabilities impacting enterprises

How zero-day exploits are shifting enterprise security threats

Takeaways

• Zero-day vulnerabilities are increasingly impacting enterprises, with both the number and proportion of affected technologies reaching record highs in 2025.
• Half of enterprise-targeted zero-days focused on networking and security software, highlighting attackers' shift toward critical business infrastructure.
• Operating systems were the most exploited product category, accounting for 44% of all zero-day vulnerabilities, while browsers represented less than 10%.
• Mass exploitation is rising, suggesting nation-state adversaries are getting better at developing and distributing exploits rapidly.

A Google Threat Intelligence Group (GTIG) analysis of 90 zero-day vulnerabilities that were actually exploited in 2025 suggests cyberattacks are focusing more of their efforts on richer enterprise targets.

Both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs, accounting for almost 50% of total zero-days exploited in 2025. Among these vulnerabilities, about half (21) specifically targeted networking and security software.

The report also notes that operating systems, including both desktop and mobile, were the most exploited product category in 2025, accounting for 44% (39) of all zero-day vulnerabilities. Browsers, in contrast, accounted for less than 10% of 2025 zero-day exploitation. However, there were discoveries of multiple browser sandbox escapes, each of which were specifically designed to exploit components of either the underlying operating system or hardware used.

Additionally, there has been more mass exploitation of vulnerabilities. That suggests adversaries working on behalf of nation-states have become increasingly adept at developing, sharing and distributing exploits.

Evolving tactics and techniques

Overall, the CTIG report suggests exploitation of enterprise applications will continue to account for a large share of these attacks as the breadth of applications being deployed continues to expand the overall attack surface that cybersecurity teams are expected to defend while at the same time adversaries embrace artificial intelligence (AI) to discover and exploit vulnerabilities faster.

Additionally, the tactics and techniques being used by adversaries also appear to be evolving. For example, the report notes a BRICKSTORM malware campaign attributed to an espionage group affiliated with the People’s Republic of China targeted intellectual property, including source code and proprietary development documents. This IP could potentially be used to discover vulnerabilities in the software to target downstream customers.

On the plus side, however, AI should enable defenders to both more proactively discover vulnerabilities and, when needed, build, test and deploy patches, the report notes.

Common attack vectors

Most commonly, zero-day exploitations are primarily used to achieve remote code execution, followed by gaining privilege escalation. Command injection and deserialization techniques that convert structured data back into a live object or data structure that a program can use were both critical vectors in the enterprise. Malicious actors also continue to rely on memory corruption, which accounted for 35% of the vulnerabilities.

Other common attack vectors also included bypasses of authentication and authorization mechanisms and exploits that targeted logic and design flaws commonly found in enterprise appliances.

In general, the GTIG report advises cybersecurity teams to employ firewalls to enable inherent segmentation and least privilege access controls to thwart more of these attacks. Additionally, they should also invest in observability and monitoring tools to discover breaches that at this point are all but inevitable, the report notes.

Cybersecurity teams should also maintain a software bill of materials (SBOM) that in the event of an attack will make it easier to identify which of their software libraries might be affected.

As Willie Sutton once noted, criminals rob banks because that’s where the money is. That same thinking in the age of IT now applies to enterprise IT organizations.