2025 Zero-Day Exploitation: Key Findings and Evolution

<div> <p>Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited in the wild during 2025. This number, while lower than the record 100 seen in 2023, marks a slight increase from 2024's count of 78 and remains within the established 60–100 range over the past four years, suggesting a stabilization around these levels. The report highlights a significant structural shift toward enterprise exploitation, with state-sponsored groups continuing to prioritize edge devices and security appliances, while commercial surveillance vendors (CSVs) maintain their focus on mobile and browser exploits. Below, we break down the most critical trends and insights from the year's zero-day landscape.</p> <ul> <li><a href='#q1'>How many zero-days were exploited in 2025 and how does it compare to recent years?</a></li> <li><a href='#q2'>What major shift occurred in the types of technologies targeted by zero-days in 2025?</a></li> <li><a href='#q3'>Why did mobile zero-day counts fluctuate over the past three years?</a></li> <li><a href='#q4'>Which threat actors are exploiting edge devices and security appliances, and for what purpose?</a></li> <li><a href='#q5'>How did commercial surveillance vendors (CSVs) adapt their exploitation strategies in 2025?</a></li> <li><a href='#q6'>What was the role of the BRICKSTORM malware in 2025 zero-day campaigns?</a></li> </ul> <h2 id='q1'>How many zero-days were exploited in 2025 and how does it compare to recent years?</h2> <p>In 2025, GTIG tracked <strong>90 zero-day vulnerabilities</strong> that were exploited in the wild. This figure is notably lower than the record high of 100 observed in 2023 but higher than the 78 counted in 2024. The numbers have consistently fallen within a <strong>60–100 range</strong> over the previous four years, indicating a trend toward stabilization. This stability suggests that while zero-day exploitation remains a persistent threat, it is not dramatically increasing year over year. Instead, attackers appear to be maintaining a steady pace, possibly redistributing their efforts across different technology categories rather than increasing overall volume.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig1a.jpg" alt="2025 Zero-Day Exploitation: Key Findings and Evolution" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id='q2'>What major shift occurred in the types of technologies targeted by zero-days in 2025?</h2> <p>The most significant shift in 2025 was the <strong>dramatic increase in enterprise exploitation</strong>. Enterprise technologies accounted for <strong>43 zero-days, or 48%</strong> of all zero-days exploited—a new all-time high. This marks a structural change first noted in 2024 and now firmly established. At the same time, browser-based exploitation dropped to historical lows, while abuse of operating system vulnerabilities increased. Attackers are increasingly targeting <strong>enterprise software, networking devices, and security appliances</strong>, which provide privileged access across networks and data assets. This shift highlights the growing risk posed by trusted edge infrastructure and the value attackers place on gaining initial access through these platforms.</p> <h2 id='q3'>Why did mobile zero-day counts fluctuate over the past three years?</h2> <p>Mobile zero-day discovery counts have shown notable fluctuation: <strong>17 in 2023, dropping to 9 in 2024, then rebounding to 15 in 2025</strong>. This volatility is driven by evolving vendor mitigations that make simplistic exploitation harder. In response, threat actors have had to <strong>expand or adjust their techniques</strong>. In some cases, they chain multiple vulnerabilities together to reach desired access levels within highly protected components. Conversely, attackers have also achieved successful exploitation with fewer or even a single bug by targeting lower-level access points within applications or services. The net effect is a dynamic arms race where complexity on both sides dictates the number and nature of vulnerabilities exploited.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="2025 Zero-Day Exploitation: Key Findings and Evolution" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id='q4'>Which threat actors are exploiting edge devices and security appliances, and for what purpose?</h2> <p><strong>State-sponsored espionage groups</strong> continue to prioritize edge devices and security appliances as prime entry points into victim networks. In 2025, just over half of the zero-day exploitation attributed to these groups focused on such technologies. Devices like firewalls, VPN gateways, and network security appliances are attractive because they often sit at the network perimeter, have broad access, and may be less frequently patched. By compromising these devices, attackers can gain persistent, privileged access to internal networks. This trend underscores the critical need for organizations to rigorously patch and monitor their edge infrastructure, as it remains a high-value target for advanced persistent threats.</p> <h2 id='q5'>How did commercial surveillance vendors (CSVs) adapt their exploitation strategies in 2025?</h2> <p>Commercial surveillance vendors (CSVs) maintained their interest in <strong>mobile and browser exploitation</strong>, but they adapted their techniques to bypass newer security boundaries. In 2025, they expanded and adjusted their exploit chains to overcome improvements in mobile security, such as stronger sandboxing and memory protections. CSVs also increased the number of chained vulnerabilities in some cases to achieve deeper access within highly protected components. However, they also managed to successfully exploit systems with fewer bugs by targeting lower-level privileges within a single application or service. This dual strategy allows CSVs to continue delivering spyware and surveillance capabilities despite evolving defenses.</p> <h2 id='q6'>What was the role of the BRICKSTORM malware in 2025 zero-day campaigns?</h2> <p>Multiple intrusions linked to <strong>BRICKSTORM malware</strong> deployment were observed in 2025, demonstrating a range of objectives from intelligence gathering to intellectual property theft. Particularly concerning was the targeting of technology companies, which could lead to the theft of valuable IP that threat actors could then use to <strong>develop new zero-day exploits</strong>. BRICKSTORM campaigns often leveraged zero-day vulnerabilities for initial access, then used custom tools to maintain persistence and exfiltrate data. The malware's appearance across multiple sectors indicates that it has become a favored tool among certain espionage groups, capable of adapting to different target environments and operational goals.</p> </div>