90 zero-days in one year: Google reveals the 2025 threat landscape
Google's Threat Intelligence Group (GTIG) just published its annual zero-day vulnerability report, and the numbers are concerning: 90 zero-days were actively exploited in 2025, a significant increase from the 78 tracked in 2024. Having followed these reports for years, the trend is unmistakable: attackers are shifting targets.
The most alarming finding isn't the total count — it's where they're aiming: nearly half (48%) of these vulnerabilities targeted enterprise technology, an all-time high according to Google's official report.
Enterprises are now the primary target
For the first time, enterprise technology surpassed consumer products as the primary zero-day target. Of the 90 vulnerabilities, 43 (48%) directly targeted corporate infrastructure.
| Category | 2025 Zero-Days | 2024 Zero-Days | Change |
|---|---|---|---|
| Enterprise Technology | 43 (48%) | 31 (40%) | +39% |
| Operating Systems | 40 (44%) | 35 (45%) | +14% |
| Web Browsers | 8 (9%) | 15 (19%) | -47% |
| Mobile Devices | 15 (17%) | 9 (12%) | +67% |
| Total | 90 | 78 | +15% |
Most targeted products
Firewalls from Cisco and Fortinet, VPNs from Ivanti, and virtualization platforms from VMware were top targets. Microsoft led the vendor list with 25 zero-days, followed by Google (11), Apple (8), and Cisco (4).
China leads attacks with 10 attributed zero-days
Of the 90 zero-days, Google attributed 42 to specific threat actors. China-nexus groups exploited at least 10 vulnerabilities — double the figure from 2024. These groups focused particularly on edge devices and network security equipment.
The actor distribution is revealing:
- Commercial Surveillance Vendors (CSVs): 18 zero-days (15 confirmed + 3 likely)
- State-sponsored espionage (China primary): 15 zero-days (12 confirmed + 3 likely)
- Financially motivated cybercrime: 9 zero-days
In my experience analyzing threat intelligence, this is the first time commercial spyware vendors have surpassed government spies in zero-day exploitation. Companies selling surveillance tools to governments have become the single largest vector for sophisticated attacks.
How this affects you and how to protect yourself
If you work in IT or manage enterprise infrastructure, here are immediate actions to take:
- Update firewalls and VPNs: Cisco, Fortinet, and Ivanti have released patches. Apply them today, not tomorrow
- Review VMware vCenter: Multiple zero-days affected virtualization platforms
- Implement Zero Trust: Don't trust any edge device by default
- Monitor anomalous traffic: Attackers use security devices themselves as entry points
Useful commands to check for vulnerable versions
# Check Cisco ASA firmware version
show version | include Software Version
# Check FortiOS version
get system status | grep Version
# Check VMware vCenter version
vpxd -v
# Scan local network for devices with exposed VPN ports
nmap -sV -p 443,8443,10443 192.168.1.0/24Common mistakes in zero-day response
Mistake 1: "Our firewall is updated, we're safe." Wrong. The report shows attackers exploit zero-days BEFORE patches exist. Solution: implement behavioral anomaly detection, don't just update signatures.
Mistake 2: "Only large enterprises are targets." Commercial spyware is sold to any government or entity with budget. SMBs with valuable data are also targets. Solution: network segmentation and mandatory multi-factor authentication.
Mistake 3: "We use a VPN, we're protected." Ironically, VPNs were among the most attacked products (Ivanti). Solution: consider alternatives like Cloudflare Zero Trust or Google BeyondCorp.
What to expect in 2026
The report warns that AI will increasingly be used to scale attacks: automated reconnaissance, vulnerability discovery, and AI-assisted exploit development. After reviewing the complete report, my conclusion is that 2026 will be even more intense for enterprise cybersecurity.
