Google Reports 90 Zero-Day Vulnerabilities Exploited in Active Attacks During 2025
Google’s Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited in the wild during 2025, a 15% increase over 2024’s count of 78, though slightly below the 2023 record of 100.
The figure keeps the annual tally within the 60–100 range established over the past four years, suggesting a stabilization at historically elevated exploitation levels rather than a surge or decline.
Of the 90 tracked zero-days, 47 (52%) targeted end-user platforms, while 43 (48%) impacted enterprise technologies, the highest raw number and proportion ever recorded by GTIG.
Enterprise exploitation reached this all-time high, driven largely by security and networking appliances (21 zero-days), VPN platforms, and virtualization technologies from vendors such as Ivanti and VMware.
Operating systems emerged as the single most exploited product category in 2025, accounting for 44% (39) of all zero-days, up from 31 in 2024, with mobile OS exploitation rebounding to 15 after a dip to 9 in 2024. In contrast, browser-based exploitation fell sharply to fewer than 10 zero-days, reflecting years of hardening work by browser vendors.
Key Zero-Days and Threat Actor Activity
| CVE | Vendor / Product | Exploit Type | Threat Actor |
|---|---|---|---|
| CVE-2025-21590 | Juniper Routers | Edge Device Exploitation | UNC3886 (PRC-nexus) |
| CVE-2025-0282 | Ivanti Connect Secure VPN | Initial Access / RCE | UNC5221 (PRC-nexus) |
| CVE-2025-40602 | SonicWall SMA 1000 | Local Privilege Escalation | GTIG-reported |
| CVE-2025-23006 | SonicWall SMA 1000 | Authentication Bypass | Multiple Actors |
| CVE-2025-61882 / CVE-2025-61884 | Oracle E-Business Suite | Zero-Day Initial Access | FIN11 / CL0P |
| CVE-2025-8088 | WinRAR | Malware Distribution | UNC2165 / Evil Corp |
| CVE-2025-2783 | Google Chrome (Windows) | Browser Sandbox Escape | APT (ForumTroll) |
| CVE-2025-21042 | Samsung Quram Library (DNG) | Memory Corruption / RCE | Surveillance Actor |
| CVE-2025-48543 | Android Runtime (ART) | Use-After-Free / Sandbox Escape | CSV-linked Actor |
| CVE-2025-27038 | Qualcomm Adreno GPU | UAF / Code Execution | Chained Exploit |
| CVE-2025-6558 | Mali GPU User-land Library | Out-of-Bounds Write | Chained Exploit |
| CVE-2025-14174 | Apple Metal Backend (ANGLE) | Out-of-Bounds Memory Access | Device-Specific Actor |
| CVE-2025-43300 | Samsung DNG / Quram Library | Memory Corruption | Surveillance Actor |
For the first time in GTIG’s tracking history, Commercial Surveillance Vendors (CSVs) surpassed traditional state-sponsored espionage groups in the number of attributed zero-day exploits.
Vendors like Intellexa continued delivering sophisticated spyware to high-paying clients by targeting mobile and browser platforms, expanding exploit chains to bypass modern security boundaries.
Among nation-state actors, PRC-nexus groups remained the most prolific, exploiting at least 10 zero-days in 2025, double the 5 attributed in 2024, with a continued focus on edge devices and networking infrastructure for persistent, long-term access. Notably, North Korea, which was linked to 5 zero-days in 2024, had zero attributed zero-days in 2025.
Financially motivated actors also surged, with 9 zero-days attributed to ransomware and extortion groups nearly matching the 2023 record high of 10. FIN11/CL0P exploited Oracle E-Business Suite vulnerabilities as early as August 2025, weeks before patches were available, launching large-scale extortion campaigns against enterprise clients.
BRICKSTORM malware intrusions, attributed to PRC-nexus operators, introduced a potentially new paradigm stealing intellectual property, including source code from technology companies, to fuel future zero-day development, according to GTIG.
GTIG warns that AI will intensify the 2026 threat landscape, enabling adversaries to automate reconnaissance, accelerate vulnerability discovery, and compress exploit development timelines.
At the same time, AI-powered defensive tools, including agentic solutions that can proactively patch unknown flaws, allow defenders to close the window of exposure before attackers can act.
Site: cybersecuritypath.com
About the Author
