The cybersecurity landscape continues to evolve at a pace that challenges even the most advanced defenses. A new analysis from Google’s Threat Intelligence Group (GTIG) provides a detailed examination of how zero-day vulnerabilities are being discovered, weaponized, and exploited across the global digital ecosystem. The report, published by Google Cloud as part of its threat intelligence research, offers a rare look into the operational dynamics of zero-day exploitation and the actors driving these attacks.

The findings show that while the number of zero-day vulnerabilities exploited in the wild fluctuates year to year, the strategic value of these vulnerabilities for cyber espionage, surveillance, and financially motivated attacks continues to grow. The report also reveals a shift in targeting priorities—from consumer devices toward enterprise infrastructure—reflecting how attackers increasingly aim for systems that can provide broader access to corporate networks and sensitive data.

Zero-Day Exploits Remain a Core Tool for Advanced Threat Actors

According to the analysis published by Google’s Threat Intelligence Group, researchers tracked 75 zero-day vulnerabilities actively exploited in the wild during 2024, a decline from 98 recorded in 2023 but still significantly higher than earlier years. 

Zero-day vulnerabilities—software flaws that are unknown to vendors at the time of exploitation—are among the most powerful tools in cyber operations because they allow attackers to bypass security controls before patches are available.

Despite the slight decline in the number of exploited vulnerabilities, the report emphasizes that zero-day activity remains at historically elevated levels compared with the pre-2021 period, suggesting that exploitation has become a standard technique in advanced cyber campaigns. 

What makes this trend particularly concerning is that the majority of these attacks are not random. Instead, they are typically deployed in targeted operations conducted by sophisticated threat actors, including nation-state groups and commercial surveillance vendors.

A Strategic Shift Toward Enterprise Technologies

One of the most notable conclusions of the report is the growing shift away from consumer targets and toward enterprise technologies.

Google’s researchers found that 33 of the zero-day vulnerabilities exploited in 2024 affected enterprise software, including networking appliances, security tools, and enterprise infrastructure platforms.

This shift reflects the evolving priorities of threat actors. Compromising enterprise technologies often provides attackers with a gateway into entire organizational environments. Once inside, adversaries can move laterally across systems, escalate privileges, and access sensitive data or intellectual property.

Enterprise infrastructure is particularly attractive because it often acts as the backbone of corporate networks. A vulnerability in a network security appliance, for example, can allow attackers to bypass perimeter defenses and gain persistent access to internal systems.

The report also notes that organizations increasingly rely on complex technology stacks, which expands the potential attack surface and increases the likelihood that exploitable vulnerabilities will exist somewhere within the infrastructure.

Espionage Operations Still Drive Zero-Day Development

While cybercrime continues to grow globally, the research indicates that cyber espionage operations remain one of the primary drivers of zero-day exploitation.

Government-backed threat actors often rely on zero-day vulnerabilities to gain covert access to targeted networks. These actors typically prioritize stealth and persistence over scale, deploying exploits selectively against high-value targets such as government agencies, defense contractors, telecommunications providers, and research institutions.

The report also highlights the continued role of the commercial spyware industry, which develops and sells advanced exploit chains to governments and law enforcement agencies. Some surveillance vendors have been linked to multiple zero-day vulnerabilities over the past several years, demonstrating how the commercialization of cyber capabilities is reshaping the threat ecosystem.

In these cases, vulnerabilities are not simply discovered and used by hackers but are developed as part of an organized market for offensive cyber tools.

2025 zero-days in end-user vs enterprise products

Browsers and Mobile Platforms Remain Critical Attack Surfaces

Although enterprise technologies are becoming increasingly attractive targets, browsers and mobile platforms remain central to many zero-day campaigns.

Web browsers represent a particularly valuable attack vector because they serve as the primary interface between users and the internet. Vulnerabilities in browser engines can allow attackers to execute malicious code simply by tricking users into visiting a specially crafted webpage.

Several real-world cases illustrate this risk. Security researchers have documented browser vulnerabilities that enable attackers to escape sandbox protections or execute arbitrary code, potentially allowing full system compromise.

Mobile operating systems are similarly targeted due to their widespread adoption and the sensitive data stored on modern smartphones. Attackers frequently chain multiple vulnerabilities together—combining browser flaws with privilege-escalation exploits—to achieve complete device takeover.

These exploit chains are particularly valuable in surveillance operations where the goal is long-term access to communications, location data, or encrypted messaging platforms.

The Growing Role of Rapid Vulnerability Patching

One of the more positive findings of the report is that vendor patching processes have improved significantly in recent years.

Technology companies now deploy patches faster and coordinate more closely with security researchers through responsible disclosure programs. Initiatives such as Google’s Project Zero have helped standardize vulnerability reporting timelines and encouraged faster remediation cycles.

These improvements have contributed to the decline in some categories of exploit activity. However, the report cautions that attackers have adapted by focusing on less-scrutinized technologies, particularly specialized enterprise products and network appliances.

In many cases, these systems are deployed in environments where patching is slower or operationally difficult, creating a window of opportunity for attackers to exploit vulnerabilities before they are addressed.

Exploit Development Is Becoming More Sophisticated

Another major theme in the report is the increasing sophistication of exploit development.

Modern zero-day attacks frequently involve multi-stage exploit chains that combine several vulnerabilities across different components of a system. This approach allows attackers to bypass multiple layers of defense and maintain persistence even after partial detection.

For example, an attacker may begin with a browser vulnerability to execute code on a target machine. From there, a second exploit could elevate privileges, while a third vulnerability allows the attacker to escape security sandboxes or virtualization environments.

These complex exploit chains require advanced research capabilities and are often developed by well-resourced threat actors.

This graph only reflects clusters for which we can assess motivation. In one case, we identify two groups that are separately exploiting the same vulnerability.

The Strategic Implications for Enterprises

For enterprise security teams, the report underscores a fundamental reality: preventing zero-day exploitation entirely is nearly impossible.

Instead, organizations must focus on defense-in-depth strategies that limit the damage when vulnerabilities are exploited.

This includes measures such as:

• strict network segmentation
• zero-trust architectures
• continuous monitoring of privileged accounts
• rapid patch management
• proactive threat hunting

By assuming that some vulnerabilities will inevitably be exploited, security teams can design systems that prevent attackers from achieving their ultimate objectives.

AI and Automation Are Changing Both Sides of Cybersecurity

Looking ahead, the report suggests that artificial intelligence and automation will increasingly influence the zero-day ecosystem.

AI-driven tools are already being used by defenders to identify vulnerabilities and analyze exploit patterns more efficiently. At the same time, threat actors are beginning to experiment with AI-assisted malware development and automated reconnaissance.

This dynamic creates an arms race in which both attackers and defenders rely on increasingly sophisticated technologies to gain an advantage.

The Future of Zero-Day Exploitation

Google’s analysis ultimately reinforces a broader conclusion about the future of cybersecurity: zero-day vulnerabilities will remain a central component of advanced cyber operations.

Even as vendors improve patching practices and strengthen security architectures, attackers continue to invest heavily in discovering new vulnerabilities and developing sophisticated exploit techniques.

For governments, enterprises, and technology providers, this means that cybersecurity strategies must evolve beyond reactive patching. Proactive vulnerability research, threat intelligence sharing, and resilient system design will be essential in defending against the next generation of zero-day attacks.

As the digital economy becomes increasingly dependent on interconnected infrastructure, the stakes surrounding zero-day vulnerabilities—and the race to exploit or defend them—are only likely to grow.

Graphics: Google