10 Key Insights from 2025's Zero-Day Exploitation Landscape
By
<p>In 2025, the Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild—a figure that, while lower than the record 100 in 2023, surpasses 2024’s 78 and stays within the 60–100 range seen over the past four years. This suggests a plateau in zero-day activity, but the nature of exploitation is shifting dramatically. Enterprise technologies now bear the brunt of attacks, browser-based exploits are on the decline, and state-sponsored groups are increasingly targeting edge devices. This article unpacks the ten most important findings from the report to help security teams understand where threats are heading.</p>
<h2 id="item1">1. Zero-Day Count Stabilizes Around 90</h2>
<p>The total number of zero-days observed in 2025—90—continues a trend of relative stability. After the spike to 100 in 2023 and a dip to 78 in 2024, the 2025 figure reinforces a pattern of sustained exploitation. This plateau suggests that attackers are maintaining a consistent tempo, possibly due to improved vulnerability discovery and disclosure processes. However, the mix of targeted platforms has evolved, with enterprise environments taking center stage.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig1a.jpg" alt="10 Key Insights from 2025's Zero-Day Exploitation Landscape" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure>
<h2 id="item2">2. Enterprise Exploitation Reaches All-Time High</h2>
<p>Nearly half—48%—of the zero-days documented in 2025 affected enterprise software and technologies. This marks a new record and underscores a structural shift first noted in 2024. Attackers are increasingly leveraging vulnerabilities in enterprise platforms to gain privileged access across interconnected networks. The growth is driven by both state-sponsored groups and commercial actors, who prize the high-value data and lateral movement opportunities these systems provide.</p>
<h2 id="item3">3. Browser Exploitation Hits Historic Lows</h2>
<p>Browser-based zero-days fell to their lowest observed levels in 2025. This decline reflects the effectiveness of modern browser security measures—such as sandboxing, site isolation, and automatic updates—which force attackers to seek alternative entry points. Meanwhile, operating system vulnerabilities have seen a corresponding uptick, as criminals and spies alike shift focus to lower-level system compromises.</p>
<h2 id="item4">4. Operating System Vulnerabilities on the Rise</h2>
<p>With browser exploitation waning, operating system zero-days have become more common in 2025. Attackers are targeting flaws in core OS components to achieve persistence and elevated privileges. This trend is particularly concerning for mobile and desktop platforms, where OS-level bugs can bypass application-layer defenses. The increase underscores the need for timely patches and robust endpoint protection.</p>
<h2 id="item5">5. State-Sponsored Groups Target Edge Devices</h2>
<p>State-sponsored espionage groups continue to prioritize edge devices—such as firewalls, VPN concentrators, and security appliances—as initial access vectors. In 2025, just over half of all attributed zero-day exploitation by these actors focused on these technologies. Edge devices often run customized firmware and receive less frequent updates, making them attractive, high-impact targets for stealthy intrusions.</p>
<h2 id="item6">6. Commercial Surveillance Vendors Shift Tactics</h2>
<p>Commercial surveillance vendors (CSVs) remain active, adapting their exploit chains to counter recent mobile security improvements. They are chaining multiple vulnerabilities to penetrate deeply protected components, such as kernel or baseband layers. At the same time, they have sometimes succeeded with fewer bugs by targeting lower levels of access within a single app or service. This flexibility keeps mobile devices in the crosshairs.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="10 Key Insights from 2025's Zero-Day Exploitation Landscape" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure>
<h2 id="item7">7. Mobile Zero-Days Rebound Amidst Increasing Complexity</h2>
<p>After dipping to 9 in 2024, mobile zero-days rose to 15 in 2025. The fluctuation reflects the cat-and-mouse game between vendors hardening their platforms and attackers finding workarounds. Complexity is the key driver: as mobile protections evolve, threat actors must invest more effort to craft exploits that bypass modern mitigations, often by chaining multiple bugs.</p>
<h2 id="item8">8. Attackers Chain Vulnerabilities to Bypass Protections</h2>
<p>In response to stronger security features, attackers are increasingly chaining multiple zero-days in a single exploit sequence. In 2025, several campaigns combined kernel, browser, and sandbox escape vulnerabilities to achieve full device compromise. Conversely, some attackers succeeded with a single bug by targeting lower-level access, such as an application’s least-privileged component. This trend demands layered defense strategies.</p>
<h2 id="item9">9. Security Appliances Remain Prime Entry Points</h2>
<p>Security and networking appliances—including firewalls, load balancers, and VPN gateways—continue to be heavily targeted for initial access. In 2025, multiple threat actor groups exploited zero-days in these devices to establish footholds inside corporate networks. The trusted nature of these appliances often allows attackers to evade detection, highlighting the need for rigorous patch management and network segmentation.</p>
<h2 id="item10">10. BRICKSTORM Malware Targets Tech IP for Zero-Day Development</h2>
<p>Multiple intrusions linked to the BRICKSTORM malware family in 2025 demonstrated a disturbing objective: theft of intellectual property from technology companies. The stolen IP appears to directly fuel zero-day exploit development, creating a dangerous feedback loop. These attacks underscore the value of protecting source code, vulnerability research, and exploit tooling from both espionage and commercial competitors.</p>
<p>In conclusion, the 2025 zero-day landscape reveals a maturing threat environment where enterprise assets are the primary target, browser attacks fade, and state and commercial actors adapt to new defenses. Security teams should prioritize patch management for edge devices and enterprise software, invest in mobile security upgrades, and monitor for exploit chains that combine multiple vulnerabilities. The trend of IP theft for exploit development also calls for stronger protective measures around sensitive research and development data.</p>