Google's Threat Intelligence Group documented 90 zero-day vulnerabilities exploited in 2025, up from 78 in 2024, with commercial spyware vendors and China-linked groups leading the abuse.
Google's Threat Intelligence Group (GTIG) documented a record 90 zero-day vulnerabilities exploited in the wild during 2025, marking a significant increase from the 78 zero-days tracked in 2024. The findings, detailed in GTIG's annual report, reveal a troubling escalation in zero-day exploitation that poses serious risks to enterprise technology and global cybersecurity.
Commercial Spyware Vendors Dominate Exploitation
The most striking revelation from the report is that commercial spyware vendors accounted for the largest share of zero-day exploitation, responsible for 40% of all documented cases. This represents a concerning trend where private companies are developing and deploying sophisticated attack capabilities that were once the exclusive domain of nation-state actors.
These commercial entities are selling their capabilities to governments and other clients, effectively creating a market for digital surveillance tools that can bypass even the most advanced security measures. The proliferation of such services has democratized access to powerful cyber capabilities, lowering the barrier for sophisticated attacks.
China-Linked Groups Maintain Aggressive Posture
Chinese state-affiliated groups remained highly active in zero-day exploitation, continuing their pattern of targeting enterprise technology, government agencies, and critical infrastructure. These groups have demonstrated sophisticated capabilities in discovering and weaponizing vulnerabilities before vendors can patch them.
The targeting of enterprise technology is particularly concerning, as it suggests these actors are focused on long-term intelligence gathering and potential disruption of business operations. The report indicates that 43 of the 90 zero-days hit enterprise tech products, representing a significant portion of the total exploitation observed.
Enterprise Technology Under Siege
Of the 90 zero-days GTIG tracked, 43 targeted enterprise technology products, highlighting the sector's attractiveness to threat actors. This focus on enterprise tech suggests that attackers are prioritizing targets with valuable data, intellectual property, and operational control.
Enterprise organizations face unique challenges in defending against zero-day attacks, as these vulnerabilities are unknown to vendors and therefore lack available patches at the time of exploitation. This creates a window of opportunity for attackers that can last days, weeks, or even months depending on how quickly the vulnerability is discovered and disclosed.
Broader Implications for Cybersecurity
The increase in zero-day exploitation from 78 to 90 represents more than just a numerical uptick—it signals a fundamental shift in the cyber threat landscape. The combination of commercial spyware vendors entering the market and nation-state actors maintaining aggressive exploitation campaigns creates a multi-faceted threat environment.
Organizations must now contend with both profit-driven entities selling surveillance capabilities and state-sponsored groups pursuing geopolitical objectives. This dual threat vector makes traditional defense strategies less effective, as the motivations and resources behind these attacks vary significantly.
The Race Between Discovery and Disclosure
The data underscores the ongoing race between vulnerability discovery and disclosure. Zero-days exist in a gray area where they are valuable to both defenders (who want to patch them) and attackers (who want to exploit them). The fact that 90 were observed in a single year suggests that either more are being discovered, more are being used, or both.
This dynamic creates a challenging environment for security researchers and vendors who must balance responsible disclosure with the need to protect users from active exploitation. The increasing commercialization of zero-day capabilities adds another layer of complexity, as profit motives may influence disclosure timelines and practices.
Looking Ahead
The trends documented in GTIG's report suggest that 2025 represented a watershed moment in zero-day exploitation, with commercial actors entering the fray alongside traditional nation-state players. As these capabilities become more widely available and sophisticated, organizations across all sectors will need to reassess their security postures and invest in more robust defensive measures.
The continued targeting of enterprise technology indicates that businesses remain attractive targets for sophisticated attackers, requiring ongoing vigilance and investment in security infrastructure to mitigate the risks posed by these advanced persistent threats.
Comments
Please log in or register to join the discussion