Posted on 03/05/2026 4:18:05 PM PST by nickcarraway
Of the 90 zero-days GTIG tracked in 2025, 43 hit
Zero-day exploitation targeting enterprise tech products reached an all-time high last year, with China-linked cyber-espionage groups remaining the most prolific state-backed users, according to Google.
Google Threat Intelligence Group tracked 43 zero-days in enterprise software and appliances in 2025, representing 48 percent of all attacks against these previously undisclosed bugs. That's up from 36 (46 percent) in 2024.
In total, the Chocolate Factory documented 90 zero-day vulnerabilities actively exploited last year, which is more than 2024's number (78), but still not as many as 2023's record high of 100.
And while end-user product attacks still slightly outpace those targeting enterprise software and appliances, this most recent report is yet another indicator of attackers' shift since 2023 toward exploiting big orgs.
Security and networking devices were the hardest hit, comprising nearly half (21) of the enterprise-related zero-days last year. Google also noted that 14 enterprise tech zero-days in 2025 affected edge devices, such as routers, switches, and gateways, but added, "this figure likely underrepresents the true scale of activity due to inhibited detection capabilities."
Many of these edge devices don't run endpoint security tools - which is why they make very attractive targets for attackers.
Most of these enterprise attacks appear to be espionage related, and China-linked groups are the biggest offenders, Google's security sleuths told The Register.
"Of the exploitation we were able to attribute, we identified a higher proportion of traditional state-sponsored espionage groups compared to CSVs or cybercrime groups," cyber threat intelligence analyst James Sadowski said.
This is noteworthy because in 2025, for the first time since they started tracking zero-day exploits, Google's threat intel group attributed more zero-days to CSVs - commercial surveillance vendors - than they did to traditional government-backed cyber snoops.
CSVs are private companies such as NSO Group, Intellexa, and Candiru that develop and sell spyware and exploits, ostensibly to government agencies and law enforcement for legal intel gathering and crime-fighting assistance. It's not always used for these purposes, however, and spyware is sometimes found on devices belonging to journalists, protesters, and political opposition leaders.
Of the 90 total zero-days, GTIG was able to attribute 42 of them to a particular type of group: 15 of these were exploited by CSVs, plus another three by "likely CSVs," 12 by state-sponsored espionage groups (seven from China), another three by "likely" government spies (also China), nine by financially motivated cyber criminals, and one by dual spies-slash-cybercrims.
Google Threat Intelligence Group security engineer Clement Lecigne declined to name the most prolific CSVs in 2025. "We continue to observe a variety of these vendors exploiting zero-days in their spyware, but aren't able to share specifics at this time," he told The Register, noting that his fellow bug hunters have previously discussed many of the most active CSVs in earlier reports.
When it comes to enterprise-tech zero-days, however, government-linked spies - not CSVs - take the lead.
"In particular, PRC-nexus espionage groups exploited the highest number of enterprise tech zero-days we attributed, in large part due to these groups' focus on edge device exploitation and broader security and networking devices," Sadowski said.
"Cyber espionage and intelligence collection, either via CSVs or traditional state-sponsored groups, drive a large volume of zero-day exploitation we have been able to attribute," he added. "The targeting of technology companies in the Brickstorm campaign also demonstrated the potential theft of valuable IP to further the development of zero-day exploits."
Plus, in what will likely come as no surprise to anyone who celebrates Patch Tuesday, Microsoft saw the most total zero-days exploited last year. Google (11) and Apple (8) round out the top three. ®
Dear FRiends,
We need your continuing support to keep FR funded. Your donations are our sole source of funding. No sugar daddies, no advertisers, no paid memberships, no commercial sales, no gimmicks, no tax subsidies. No spam, no pop-ups, no ad trackers.
If you enjoy using FR and agree it's a worthwhile endeavor, please consider making a contribution today:
Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you,
Jim
Google is not a tech company. They are an advertising company. A worldwide monopoly. That is how they make all of their money. They are almost completely staffed by Indian citizens living in the USA.
LOL. I worked there, they are not almost completely staffed by Indians. Sure there are some Indians, but not nearly at the rate you suggest. And Indiana wouldn’t be considered a diversity hire.
That is because you worked for google in Indiana. lol
All the big AI firms are almost all staffed by Indians.
WTH is a zero day attack?
A zero-day attack is when hackers find a vulnerability in software and use it before the creators or maintainers have a chance to fix it.
The last time I was in Indiana, was over a decade before Google even existed. I worked at the HQ in Mountain View.
>>>>>>>>>>I worked at the HQ in Mountain View.
In the HR department.
Recruiting software engineers.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.