Google GTIG Report Finds 90 Zero-Day Vulnerabilities Exploited in 2025, With Growing Commercial Spyware Activity
Google Threat Intelligence Group (GTIG) reported tracking 90 zero-day vulnerabilities exploited in the wild during 2025, up from 78 in 2024 (and below the 2023 peak of 100). GTIG said it could directly attribute exploitation for 42 of the 90, including 18 assessed as definitively or likely used by commercial surveillance vendors (CSVs), while state-sponsored espionage groups (including PRC-, Russia-, and UAE-linked activity) continued to exploit zero-days—often prioritizing edge devices and security appliances (e.g., routers, firewalls, VPN and other perimeter technologies) to gain organizational access. The report also highlighted vendor and platform targeting patterns, with Microsoft products most frequently affected, followed by Google and Apple, and noted shifts in target categories such as fluctuating mobile-device zero-days and a decline in browser zero-days.
Google’s accompanying analysis emphasized that, for the first time in its tracking, attributed CSV exploitation exceeded traditional state-sponsored cyber-espionage attribution, reflecting a broader trend of commercial exploit capabilities being productized and used by a wider set of customers. Separate commentary on exploitation timelines argued that the window between disclosure and exploitation has rapidly compressed—citing a “Zero Day Clock” dataset built from thousands of CVE-to-exploit observations and additional findings (e.g., a material share of known-exploited vulnerabilities being weaponized on or before CVE publication)—reinforcing that defenders should assume faster weaponization and reduced patching lead time for high-value targets, especially perimeter and mobile/browser attack surfaces.
Timeline
Mar 5, 2026
Google publishes its 2025 zero-day review
On March 5, 2026, Google Cloud and GTIG published their annual review of 2025 zero-day exploitation, detailing 90 in-the-wild cases, the rise of enterprise targeting, and the growing role of commercial surveillance vendors. The report also warned that AI could further accelerate exploit discovery and development in 2026.
Dec 31, 2025
Attackers use SonicWall SMA 1000 exploit chain to gain root access
In late 2025, attackers used a SonicWall SMA 1000 exploit chain combining an authentication bypass, a deserialization RCE, and local privilege escalation zero-day CVE-2025-40602. The chain allowed compromise of the appliance up to root level.
Dec 31, 2025
Samsung Quram DNG exploit chain targets WhatsApp delivery path
Google described suspicious 2025 exploitation of Samsung's Quram image library flaw CVE-2025-21042 using DNG images delivered through a WhatsApp-to-MediaStore path. The report said weak sandboxing in com.samsung.ipservice could enable powerful surveillance outcomes from a single memory-corruption bug.
Dec 31, 2025
Clop-linked campaign exploits Oracle E-Business Suite flaws
Google highlighted a 2025 campaign linked to Clop/FIN11 that exploited Oracle E-Business Suite vulnerabilities and stole HR data from dozens of organizations, including Harvard University, Envoy, and The Washington Post. The activity illustrated financially motivated zero-day exploitation at scale.
Dec 31, 2025
Financially motivated groups expand zero-day exploitation in 2025
GTIG attributed nine zero-days in 2025 to financially motivated actors, showing increased criminal use of high-end exploits. The report cited activity linked to CL0P/FIN11 and Russian-linked clusters, including overlap on CVE-2025-8088.
Dec 31, 2025
China-linked espionage groups lead state-backed zero-day exploitation in 2025
Google assessed PRC-linked espionage groups as the most prolific state users of zero-days in 2025, with at least 10 attributed cases. Their activity focused heavily on edge devices, security appliances, and networking infrastructure for persistent access.
Dec 31, 2025
Commercial spyware vendors surpass state actors in 2025 zero-day use
For the first time in Google's tracking, commercial surveillance vendors were attributed more zero-day exploitation in 2025 than traditional state-sponsored espionage groups. The finding marked a notable shift in how governments and customers obtain offensive cyber capabilities.
Dec 31, 2025
Google tracks 90 zero-days exploited during 2025
GTIG reported that 90 zero-day vulnerabilities were actively exploited in the wild in 2025. Nearly half affected enterprise technologies, with Microsoft products the most targeted and operating systems a major category.
Dec 31, 2024
Google tracks 78 zero-days exploited in 2024
Google Threat Intelligence Group recorded 78 zero-day vulnerabilities exploited in the wild during 2024, establishing the baseline for later year-over-year comparisons in its 2025 review.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
5 more from sources like the record media, register security, bleeping computer, mandiant threat intelligence and resilient cyber blog
Related Stories
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
1 months ago
Major Zero-Day Exploitation and Supply Chain Threats in December 2025
Multiple critical zero-day vulnerabilities affecting Windows, Chrome, Apple devices, and popular enterprise software were actively exploited in December 2025, with attackers rapidly weaponizing newly disclosed flaws. Notable incidents included the exploitation of the React2Shell vulnerability in React 19, which was leveraged by a range of threat actors—from Chinese state-sponsored groups to North Korean-linked campaigns—deploying malware such as EtherRAT, PeerBlight, and BPFDoor. Emergency patches were released by vendors including Google and Apple, while Microsoft addressed an actively exploited Windows zero-day in its Patch Tuesday updates. The MITRE Top 25 Most Dangerous Software Weaknesses list for 2025 highlighted persistent coding errors that continue to be targeted by adversaries, emphasizing the need for secure development practices. Supply chain attacks also surged, with threat actors increasingly targeting GitHub Actions to compromise software development workflows. High-profile incidents such as the exploitation of Gogs and other open-source platforms underscored the risks inherent in collaborative coding environments. Security researchers and agencies like CISA responded by adding new vulnerabilities to their Known Exploited Vulnerabilities catalogs and urging organizations to prioritize patching and adopt a shared responsibility model for securing code repositories. The rapid pace of exploitation and the diversity of attack vectors reinforced the importance of agility, visibility, and proactive defense in enterprise cybersecurity strategies.
1 months ago
Surge in Zero-Click and Zero-Day Exploits Targeting Mobile Devices
A significant escalation in zero-click and zero-day exploitation techniques was observed throughout 2025, with attackers increasingly targeting mobile platforms such as iOS. Zero-click exploits, which require no user interaction, have become a preferred method for advanced persistent threats, nation-state actors, and commercial surveillance vendors. At least 14 major zero-click vulnerabilities were identified, affecting billions of devices and highlighting the growing attack surface beyond traditional user-driven threats. The average time from vulnerability disclosure to exploitation has dropped dramatically, putting pressure on organizations to accelerate patching cycles and improve detection capabilities. Recent reports confirm that multiple zero-day vulnerabilities in iOS were actively exploited in targeted spyware campaigns before patches became available. Attackers leveraged flaws in core mobile components, such as browser engines, to execute malicious code and compromise devices with minimal or no user involvement. These incidents underscore the persistent risks posed by mobile spyware and the critical need for rapid patching, enhanced mobile OS visibility, and continuous monitoring for anomalous device behavior as mobile endpoints remain high-value targets for cyber adversaries.
1 months ago