2025 Zero-Day Exploits: A Year of Shifting Targets and Escalating Threats
In 2025, 90 zero-days were exploited in the wild, with a record 48% targeting enterprise technologies. Browser attacks dropped, mobile exploitation rebounded, and state-sponsored groups focused on edge devices.
Overview
In 2025, the Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities that were actively exploited in the wild. While this figure is lower than the record high of 100 observed in 2023, it surpasses the 78 recorded in 2024 and remains within the 60–100 range that has become the new normal over the past four years. This stabilization suggests that threat actors have adapted to a consistent level of exploitation, with enterprise systems now bearing the brunt of the attacks.
Key Trends in 2025
Rise in Enterprise Exploitation
A structural shift first noted in 2024 deepened in 2025, as enterprise technologies became the primary target for zero-day exploits. Both the raw number (43) and proportion (48%) reached all-time highs, accounting for nearly half of all zero-days used in attacks. This increase is driven by the interconnected nature of enterprise software and the privileged access it can provide across networks and data assets.
Decline in Browser-Based Attacks
Browser-based exploitation fell to historical lows in 2025. This trend reflects a combination of improved browser security measures, such as sandboxing and automatic updates, and a strategic pivot by threat actors toward more profitable targets like operating systems and enterprise applications.
Mobile Vulnerabilities on the Upswing
Mobile zero-day discovery counts have fluctuated over the last three years, dropping from 17 in 2023 to 9 in 2024, before rebounding to 15 in 2025. As mobile platform security evolves, attackers are forced to either chain multiple vulnerabilities to bypass sophisticated protections or exploit single bugs that target lower levels of access within a specific app or service.
Threat Actors and Techniques
State-Sponsored Groups Target Edge Devices
State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks. Just over half of all attributed zero-day exploitation by these groups focused on networking and security appliances. These devices often lack the same level of security oversight as core infrastructure, making them attractive initial access vectors.
Commercial Surveillance Vendors Adapt
Commercial surveillance vendors (CSVs) maintained a strong interest in mobile and browser exploitation, but they have adapted their exploit chains to bypass recently implemented security boundaries. For example, new mitigations like pointer authentication in iOS have forced CSVs to find alternative methods or expand the number of bugs in their chains. This cat-and-mouse game continues to drive innovation on both sides.
BRICKSTORM Malware and IP Theft
Multiple intrusions linked to BRICKSTORM malware deployment demonstrated a range of objectives, from espionage to sabotage. Notably, the targeting of technology companies highlights the potential theft of valuable intellectual property (IP) that can be used to develop new zero-day exploits or gain competitive advantages. This case underscores how zero-day tradecraft is now being directly leveraged for profit and strategic gain.
Analysis and Implications
The data from 2025 paints a clear picture: zero-day exploitation is becoming more enterprise-focused and less browser-centric. Vendors of networking equipment, security appliances, and enterprise software must accelerate patching and hardening of their products. Meanwhile, defenders should prioritize monitoring of edge devices and limit access to sensitive enterprise platforms.
The persistent interest in mobile vulnerabilities, coupled with the increasing complexity of exploit chains, suggests that mobile users remain at risk—especially those targeted by CSVs. Organizations should implement mobile threat defense measures and encourage regular OS updates.
Finally, the BRICKSTORM incidents serve as a stark reminder that zero-day exploits are not just for espionage; they can also facilitate IP theft that fuels further attacks. As we move into 2026, the trend toward stabilization at high volumes of zero-day exploitation will likely continue, requiring constant vigilance and collaboration across the security community.