90 zero days exploited in 2025 the threat map that redefines cybersecurity

The Google threat intelligence team (GTIG) has just closed its annual balance sheet and the message is clear: the zero days remain a persistent and, on some fronts, growing threat. In 2025, Google researchers identified 90 zero-day vulnerabilities that were actively exploited in the real world, almost half of them affecting business-oriented products and devices. This total represents an increase from 2024 - when 78 cases were recorded - although it does not reach the maximum of 2023, when GTIG recorded 100 failures exploited in nature. For those who do not work in security every day, it should be remembered that a zero-day vulnerability is a failure in the software that attackers take advantage of before the manufacturer has a chance to park it, which gives them a particularly valuable advantage window to get initial access, run code remotely or scale privileges.

The X-ray of the year shows a balanced distribution between end-user platforms and business solutions: 47 of these zerodays pointed to systems used by consumers and professionals in their desks and mobile, while 43 hit products designed for corporate networks, perimeter security and virtualization. Among the exploitative errors appeared from remote and scalated execution of privileges to injections, deerialization and memory corruption problems such as use-after-free; Google points out that memory security-related errors accounted for about 35% of the total, a reminder that classic memory management errors continue to bear fruit to the attackers.

In the business territory, the favorite targets were the equipment offering privileged access to the network: security devices, network infrastructure, VPN applications and virtualization platforms. These elements often concentrate high permissions and, in many deployments, operate outside the reach of endpoints detection and response solutions (EDR), making them very attractive back doors for malicious actors.

If we look at the software categories, the operating systems led the farm list: GTIG recorded 24 zerodays against desktop systems and 15 against mobile platforms. The holdings against web browsers dropped significantly - up to only eight cases in 2025 - and Google suggests that part of that fall may be due to the hardening of browsers in recent years; another possible explanation is that attackers are using more sophisticated stealth techniques that make it difficult to detect.

As for who were targeted, Microsoft led the list of suppliers most attacked with 25 vulnerabilities exploited, followed by Google with 11 and Apple with 8; Cisco and Fortinet appeared with four each, while Ivanti and VMware added three each. These numbers illustrate that even large suppliers, with security resources and programs, continue to see how their products are targeted for unparked exploits.

A fact that breaks the historical trend is the role of commercial espionage vendors (CSV). For the first time since GTIG began tracking the exploitation of zerodays, these companies and their customers were the largest consumers of undisclosed vulnerabilities, surpassing state-sponsored groups. This observation coincides with research and complaints from organizations such as Citizen Lab which have documented the impact and scope of the commercial spyware market on surveillance and offensive operations.

Among the state actors, the groups linked to China were the most active, responsible for ten zerodays exploited in 2025 and targeting mainly devices on the edge of the network and infrastructure elements to maintain persistent access. No less relevant was the increase of economically motivated actors - ransomware and data extortion - who used nine of the observed failures, demonstrating that the exploitation of no patch failure is already part of both the espionage toolbox and organized crime.

Looking forward, GTIG warns that artificial intelligence is changing the rules of the game: automated techniques can accelerate the identification of vulnerabilities and the creation of exploits, which will probably keep the number of zerodays exploited in 2026 high. This perspective is not exclusive to Google; European and global agencies and analysis centres have pointed out in recent months that the IA reduces technical barriers for offensors, both in the generation of concept tests and in the automation of the search for large code bases ( ENISA provides documentation and warnings on the impact of increased use of IA on cybersecurity).

As an operational example of the evolution of the attackers, the report highlights campaigns such as Brickstorm, which reveal a strategic turn: less interest in stealing source code and more focus on the detection of failures that compromise products that are still in development or to go out on the market. This technique allows the fans to prepare explosives in advance and use them when the software comes to production, with a high impact potential.

What can organizations and users do to reduce risk? GTIG recommendations return to pillars that security teams know well: to reduce the attack surface and privilege exposures, to continuously monitor systems in search of abnormal behaviour and to maintain agile processes of patching and incident response. In practice this means knowing the asset inventory, segmenting networks to limit the scope of an intrusion, applying minimum privilege policies, using detection solutions that cover critical network layers and servers, and ensuring that important updates are deployed quickly and with appropriate evidence.

The picture that GTIG draws is not of immediate catastrophe, but of sustained and changing pressure: the zerodays remain a high value currency for very diverse actors and the emerging tools like the IA promise to accelerate both the search for failures and the creation of exploits. The response does not go through miracle solutions, but by strengthening basic cyberhygiene practices, investing in visibility and maintaining well-tested response procedures, because in that operational margin it is where you earn time to mitigate a failure before it becomes a major incident.

For those who want to consult the original report and to elaborate on the detailed methodology and cases, GTIG published its annual review, including graphics, examples of campaigns and recommendations: 2025 Zero-Day Review - Google Cloud. To see how public authorities catalogue and prioritize actively exploited vulnerabilities, the list of exploited vulnerabilities known to CISA is a practical reference: CISA - Known Exploited Vulnerabilities Catalog.