A new report out today from Google LLC’s Threat Intelligence Group finds that zero-day vulnerability exploitation remained elevated in 2025 as attackers increasingly targeted enterprise infrastructure and security appliances rather than traditional consumer software.

A zero-day vulnerability is a previously unknown software vulnerability that attackers exploit before the vendor has had zero days to fix or patch it.

Google’s TIG’s “Look What You Made Us Patch: 2025 Zero-Days in Review,” the company’s annual zero-day report, details that Google’s researchers tracked 90 zero-day vulnerabilities through 2025. That’s down from a record of 100 in 2023 but higher than the 78 recorded in 2024.

By category, 43 exploited zero-days in 2025 targeted enterprise software and infrastructure such as networking devices, security appliances and virtualization platforms. Security and networking appliances accounted for roughly half of those enterprise-related vulnerabilities.

Operating systems were the single most targeted category, accounting for 44% of all zero-day vulnerabilities in 2025 and mobile devices also saw increased exploitation. Fifteen mobile-related zero-days were identified during the year compared with nine in 2024.

The report highlights a shift in the actors driving zero-day exploitation. Commercial surveillance vendors were found to be responsible for more attributed zero-day exploitation than traditional state-sponsored espionage groups, the first time this has happened since Google TIG began tracking such activity.

Commercial surveillance companies develop and sell sophisticated exploit capabilities to government customers. They’re looking to expand access to advanced hacking tools beyond a few traditional large national intelligence agencies.

The rise of commercial surveillance aside, state-sponsored operations remained significant in 2025. Researchers claim that alleged Chinese government-aligned espionage groups continued to dominate traditional state-backed exploitation and frequently targeted edge devices and security infrastructure to maintain long-term access to strategic networks.

Looking toward the future, the report warns that artificial intelligence could further accelerate the zero-day landscape. The researchers expect attackers to increasingly use AI tools to automate reconnaissance, vulnerability discovery and exploit development.

The report concludes with a warning that defenders need to prioritize defenses and mitigate zero-day threats.

“Defenders should prepare for when, not if, a compromise happens,” the report’s authors write. “System architectures should be designed and built with security awareness ingrained, allowing inherent segmentation and least privilege access. Comprehensive defensive measures as well as response efforts require a real-time inventory of all assets to be audited and maintained. While not preventative, continuous monitoring and anomaly detection, within both systems and networks, paired with refined and actionable alerting capabilities is a real-time way to detect and act against threats as they occur.”

Image: SiliconANGLE/Ideogram