Vulnerabilities Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Less than half of the total zero-days have been attributed to a threat actor, but spyware vendors and China are in the lead. By Eduard Kovacs | March 5, 2026 (10:00 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Google’s Threat Intelligence Group (GTIG) reported on Thursday that 90 zero-day vulnerabilities were exploited in the wild in 2025, and an increasing percentage were aimed at enterprises. In comparison, the company tracked 78 zero-days in 2024 and 100 in the previous year. The number of zero-days seen by Google every year In 2025, Microsoft accounted for 25 of the zero-days, followed by Google (11), Apple (8), and Cisco (4). Operating systems (both mobile and desktop) were the most targeted, increasing from 40% of the total in 2024 to 44% in 2025. Mobile device zero-days also increased, from 9 vulnerabilities in 2024 to 15 in 2025. However, in the case of mobile exploits, Google noted that in many cases three or more flaws were chained to achieve a single goal. The number of browser zero-days continues to drop. While this can be an indicator of stronger browser security, it can also suggest that attacks are more sophisticated and harder to spot. Zero-day attribution in 2025 The exploitation of 42 of the 2025 zero-days has been attributed to a threat actor, with commercial surveillance vendors (CSV) taking the lead for the first time. These spyware makers exploited 15 of the vulnerabilities and three other flaws have been marked as ‘likely CSV’. State-sponsored cyberespionage groups account for 12 of the zero-days and three additional vulnerabilities are also believed to be in this category. A significant percentage of these flaws has been linked to China. Advertisement. Scroll to continue reading. “Consistent with the trend we have observed for nearly a decade, in comparison to other state sponsors, PRC-nexus groups remained the most prolific users of zero-day vulnerabilities in 2025. These groups, such as UNC5221 and UNC3886 , continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets,” Google said in its report. Enterprises increasingly targeted Google highlighted that 43 of the zero-days, representing nearly half of the total, affected enterprise technologies, which is an all-time high. Many attacks were aimed at networking and cybersecurity appliances with the goal of gaining initial access. “Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets,” Google explained. Google believes AI will be increasingly used in 2026. While threat actors will leverage AI to accelerate vulnerability discovery and exploit development, defenders can use it to enhance security operations, including proactively discovering unknown vulnerabilities and neutralizing them before they are weaponized. Additional information and insights can be found in Google’s full report . Related : Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Related : Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Related : Android Update Patches Exploited Qualcomm Zero-Day Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance LastPass Warns of New Phishing Campaign VMware Aria Operations Vulnerability Exploited in the Wild Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low Madison Square Garden Data Breach Confirmed Months After Hacker Attack Nick Andersen Appointed Acting Director of CISA US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Latest News Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Reclaim Security Raises $20 Million to Accelerate Remediation LeakBase Cybercrime Forum Shut Down, Suspects Arrested Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Tycoon 2FA Phishing Platform Dismantled in Global Takedown New LexisNexis Data Breach Confirmed After Hackers Leak Files Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Sonalee Parekh has joined SentinelOne as Chief Financial Officer. Chris Butera has been named Acting Executive Assistant Director for Cybersecurity at CISA. Software and firmware supply chain security company Binarly has appointed Gwenyth Castro as its new CEO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email