2025 Zero-Day Exploits: A Deep Dive into Trends and Targets
In 2025, Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild. While this volume is lower than the record 100 seen in 2023, it surpasses 2024's count of 78, indicating a stabilization within the 60–100 range observed over the past four years. A notable shift toward enterprise exploitation emerged, with both raw numbers and proportions reaching all-time highs. State-sponsored groups increasingly targeted edge devices and security appliances, while commercial surveillance vendors adapted their mobile and browser exploit chains. The following Q&A explores key findings from the report.
How many zero-day vulnerabilities were exploited in 2025, and how does that compare to previous years?
In 2025, researchers documented 90 zero-day vulnerabilities actively exploited in the wild. This number is lower than the record peak of 100 observed in 2023 but higher than 2024's total of 78. The count remains within the 60–100 range that has characterized exploitation levels over the last four years, suggesting a trend toward stabilization. Importantly, the proportion of these vulnerabilities targeting enterprise technologies rose to an all-time high of 48%, up from previous years. This marks a structural shift in attacker focus, moving away from consumer-oriented software like browsers toward enterprise-grade systems.
What significant shift in exploitation targets was observed in 2025?
2025 saw a clear pivot toward enterprise software and infrastructure. Vulnerabilities in enterprise technologies accounted for 48% of all exploited zero-days, a record high. This increase was driven by heightened targeting of networking and security appliances—such as firewalls, VPN gateways, and security platforms—which serve as critical edge devices. Attackers exploit these systems for initial access to victim networks, leveraging their elevated privileges and network trust. Concurrently, browser-based exploitation dropped to historical lows, while operating system vulnerabilities saw increased abuse. This shift reflects threat actors' pursuit of more impactful entry points within corporate environments.
Why are mobile zero-day vulnerabilities becoming more complex?
Mobile zero-day counts have fluctuated—17 in 2023, 9 in 2024, and 15 in 2025—but the complexity of exploits is rising. As mobile vendors implement stronger mitigations, attackers must adapt. Some threat actors chain multiple vulnerabilities to bypass layered defenses, targeting highly protected components like the kernel or TrustZone. Others succeed with fewer or even single bugs by exploiting lower-level access within specific applications or services. This arms race forces adversaries to continuously evolve their techniques, leading to more sophisticated exploit chains. The resurgence in mobile exploitation in 2025, after a dip in 2024, underscores the ongoing cat-and-mouse dynamics in mobile security.
Which threat actors are focusing on edge devices and security appliances?
State-sponsored espionage groups are the primary drivers behind the targeting of edge devices and security appliances in 2025. Over half of the zero-day exploits attributed to these groups focused on such technologies. These devices—like firewalls, VPN concentrators, and remote access gateways—are prized because they sit at network boundaries, providing a trusted foothold. Once compromised, attackers can move laterally with elevated privileges. Commercial surveillance vendors also maintain interest, though they concentrate more on mobile and browser exploitation. The BRICKSTORM malware campaign, linked to multiple intrusions, targeted technology companies for intellectual property theft, demonstrating how stolen data can fuel further zero-day development.
How did commercial surveillance vendors (CSVs) adapt their tactics in 2025?
Commercial surveillance vendors continued to evolve their exploit techniques in 2025, particularly for mobile and browser platforms. They have expanded their exploit chains to bypass newer security boundaries, such as enhanced sandbox protections and memory mitigations. Some CSVs now use more vulnerabilities per chain to achieve deep system access, while others refine methods to exploit singular bugs in less-protected components. This adaptation reflects ongoing investment in surveillance capabilities despite improved defenses on major mobile operating systems. The sustained focus on mobile exploitation, even amid an overall drop in browser attacks, highlights CSVs' priority on reaching high-value targets via personal devices.
What is the BRICKSTORM malware and what were its objectives in 2025?
BRICKSTORM is a sophisticated malware strain associated with multiple intrusion campaigns in 2025. Its operators targeted a range of organizations, with a particular emphasis on technology companies. The primary objective was intellectual property theft—stealing proprietary data, source code, and technical documentation. This stolen material could then be leveraged to develop new zero-day exploits or enhance existing attack tools. The targeting of tech firms is especially concerning because it creates a feedback loop: compromising one company yields information to better attack others. BRICKSTORM's activities exemplify how espionage groups pursue long-term strategic advantages through cyber operations.
How did enterprise software and networking devices become prime targets?
Enterprise software and networking devices have become prime targets because they offer privileged access and broad network reach. In 2025, 48% of exploited zero-days hit enterprise-grade technology, a record high. Security and networking appliances—such as VPNs, firewalls, and load balancers—are particularly attractive because they sit at the perimeter and are trusted by internal systems. Compromising one can provide a stealthy initial foothold. Additionally, enterprise software like collaboration suites or ERP platforms are highly interconnected, giving attackers access to sensitive data and lateral movement paths. The variety of threat actors—from state-sponsored groups to cybercriminals—exploiting these systems underscores their critical risk.