# Google: 50% of 2025 zero-days hit flawed enterprise software
Google's Threat Intelligence Group has issued a stark warning for 2025, projecting that 50% of zero-day vulnerabilities exploited this year will target flawed enterprise software, marking a sharp escalation from 2024's 44% as attackers pivot to poorly secured business platforms like VPNs and firewalls.[1][2][3] This surge underscores the growing vulnerability of corporate networks amid a "new normal" of elevated zero-day threats, urging organizations to prioritize patching and mitigation strategies.[3]
Zero-Day Exploits Surge in Enterprise Targets
In 2024, attackers exploited 75 zero-day vulnerabilities worldwide, down slightly from 97 in 2023 but still far above pre-2021 levels, establishing a troubling baseline of 60-100 exploits annually.[1][2][3] Notably, 44% of these zero-days struck enterprise technologies, up from 37% the previous year, with security and networking products like Ivanti Connect Secure VPN and Palo Alto Networks' PAN-OS firewalls bearing 60% of enterprise-focused attacks.[2][3] Google attributes this shift to improved defenses in consumer tech—such as browsers and mobile OSes, where exploits dropped by a third and half respectively—pushing threat actors toward less-maintained business systems that enable broader network compromises.[1][2]
Enterprise vendors dominated the hit list, accounting for 18 of 20 companies with exploited zero-days in 2024, a trend mirroring 2023's near-total dominance.[2][3] Government-backed espionage (29%) and spyware firms (23.5%) drove over half of attributed exploits, with North Korea matching China's activity for the first time.[2]
Why Enterprise Software is the New Zero-Day Battleground
Attackers favor enterprise platforms for their potential to cause extensive damage, exploiting flaws in security appliances to pivot across networks efficiently.[2] Microsoft led with 26 zero-days, primarily in Windows, followed by Google with 11 in Chrome, but the diversification to 18 unique enterprise vendors signals a calculated broadening of targets.[3] Vendors have enhanced mitigations, making end-user tech harder to crack, yet commercial surveillance actors are evading detection better, complicating threat tracking.[1]
For 2025, Google's projection of 50% enterprise-targeted zero-days reflects this momentum, with ongoing incidents like multiple Chrome flaws (e.g., CVE-2025-2783, CVE-2025-14174) highlighting persistent risks even in patched ecosystems.[4][5] CISA has added recent Chrome zero-days to its Known Exploited Vulnerabilities catalog, mandating federal fixes by early 2026.[5]
Key Implications for Businesses and Defenders
Organizations face heightened risks as zero-days evolve into a "new normal," demanding rapid response playbooks aligned with NIST and MITRE frameworks—ideally within 72 hours of disclosure.[3] Google emphasizes vendor accountability, noting steady increases in affected enterprise providers over three years.[2] Defenders should focus on patching security appliances, monitoring for state-sponsored activity, and leveraging threat intelligence to counter pivots from consumer to enterprise zero-day exploits.[1][3]
While total zero-days dipped in 2024, the enterprise focus amplifies impact, potentially leading to widespread breaches if unaddressed.[1][2]
Frequently Asked Questions
What are zero-day vulnerabilities?
Zero-day vulnerabilities are security flaws in software unknown to the vendor, giving defenders "zero days" to patch before exploitation; in 2024, 75 were actively used in the wild.[1][3]
Why are enterprise software targets rising for zero-days?
Enterprise platforms like VPNs and firewalls are increasingly hit—44% in 2024—due to weaker maintenance compared to consumer tech and their value for network-wide compromises.[2][3]
Which vendors were most affected by 2024 zero-days?
Microsoft topped with 26 exploits, Google had 11 (mostly Chrome), and 18 enterprise vendors like Ivanti were targeted, showing diversification.[3]
What does Google predict for 2025 zero-day trends?
Google forecasts **50% of 2025 zero-days** will hit enterprise software, building on 2024's 44% amid ongoing attacker pivots.[1][2][3]
How can businesses defend against zero-day exploits?
Prioritize patching security appliances, apply mitigations within 72 hours, monitor threat intelligence, and follow CISA's KEV catalog for urgent fixes.[3][5]
Who is behind most zero-day attacks?
Government espionage (29%) and spyware firms (23.5%) led 2024 attributions, with North Korea equaling China in incidents.[2]
🔄 Updated: 3/5/2026, 6:20:39 PM
**Breaking: Google reports 48% of 2025's 90 exploited zero-days targeted enterprise software, marking an all-time high and reshaping the cybersecurity competitive landscape.** This shift—from 37% in 2023 to 44% in 2024—signals attackers pivoting to high-value edge devices like security appliances (21 of 43 enterprise zero-days) and networking gear, displacing browser exploits that hit historical lows[1][2][3]. "Increased exploitation of security and networking devices highlights the critical risk... while targeting of enterprise software exhibits the value of highly interconnected platforms," GTIG stated, pressuring vendors like Ivanti amid 18 unique enterprise targets[2][3].
🔄 Updated: 3/5/2026, 6:30:46 PM
**NEWS UPDATE: Google Reveals 48% of 2025's 90 Exploited Zero-Days Targeted Flawed Enterprise Software**
Google Threat Intelligence Group (GTIG) reported that of 90 zero-day vulnerabilities exploited in 2025—a 15% rise from 78 in 2024—43 struck enterprise products like security appliances, VPNs, and networking gear, while 47 hit end-user platforms.[1] Security experts note this shift underscores attackers' focus on high-privilege enterprise systems often lacking EDR monitoring, with GTIG stating, “This continues to reflect a trend...a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers.”[1] Industry analysts warn that vendor
🔄 Updated: 3/5/2026, 6:40:45 PM
**BREAKING: Google Threat Intelligence Group reports 90 zero-day vulnerabilities exploited in 2025, with nearly 50%—specifically 43—targeting flawed enterprise software like security appliances, VPNs, and networking gear.** This marks a 15% rise from 78 in 2024, driven by China-linked groups exploiting 10 for persistent access, as GTIG notes: “a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers.”[1] Enterprise targets hit 48% of cases, up from prior years, underscoring urgent patching needs amid memory safety flaws in 35% of attacks.[1]
🔄 Updated: 3/5/2026, 6:50:53 PM
**Google Threat Intelligence Group (GTIG) reports that of the 90 zero-day vulnerabilities exploited in 2025—a 15% rise from 78 in 2024—nearly half (43) targeted flawed enterprise software like security appliances, networking infrastructure, VPNs, and virtualization platforms, which often evade EDR monitoring due to privileged access.[2]** These flaws, including remote code execution, privilege escalation, injection, deserialization, authorization bypasses, and memory corruption (35% of cases), reflect a shift where enterprise attacks hit 44% of vulnerabilities per 2024 trends, driven by commercial surveillance vendors (CSVs) and state actors like China-linked groups exploiting 10 zero-days for persistent access.[1][2
🔄 Updated: 3/5/2026, 7:00:58 PM
Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025, with **48% targeting enterprise technologies**—a new high that reflects attackers' focus on gaining privileged network access through security appliances, networking infrastructure, and virtualization platforms[2][3]. Memory safety issues accounted for **35% of all exploited zero-days**, while China-linked espionage groups remained the most active state-sponsored threat actors, exploiting 10 zero-days primarily against edge devices and networking equipment for persistent access[2]. The shift toward enterprise exploitation marks a structural change in the threat landscape, with security and networking appliances alone accounting for half of enterprise-targeted zero-days
🔄 Updated: 3/5/2026, 7:10:59 PM
**Google Threat Intelligence Group reports that of 90 zero-day vulnerabilities exploited in 2025—a 15% rise from 78 in 2024—nearly 50% (43 cases) targeted flawed enterprise software like security appliances, VPNs, and networking gear, exposing global businesses to persistent espionage and ransomware.** China-linked groups exploited 10 of these for long-term access to edge devices, while the trend of commercial surveillance vendors (CSVs) weaponizing flaws underscores rising international supply chain risks.[2] No unified global response has emerged yet, though vendors like Fortinet, Ivanti, SAP, and Microsoft rushed patches for related critical flaws amid calls to prioritize enterprise hardening.[3]
🔄 Updated: 3/5/2026, 7:20:57 PM
Google's Threat Intelligence Group reports that 90 zero-day vulnerabilities were exploited in 2025, a 15% rise from 78 in 2024, with a record **48% (43 vulnerabilities)** targeting flawed enterprise software and appliances like security tools, VPNs, and networking gear[2][4]. This marks the highest proportion ever, up from 44% in 2024, as attackers increasingly hit edge devices for privileged access amid declining browser exploits[1][4]. "Enterprise software and edge devices remain prime targets," GTIG notes, with China-linked groups exploiting 10 such zero-days for persistent espionage[2][4].
🔄 Updated: 3/5/2026, 7:30:56 PM
Google's Threat Intelligence Group reports that of the **90 zero-day vulnerabilities** exploited in 2025—a 15% rise from 78 in 2024—**nearly half (43)** targeted flawed enterprise software like security appliances, VPNs, networking gear, and virtualization platforms, which often evade EDR detection[2]. GTIG notes, “This continues to reflect a trend... a growing proportion of zero-day exploitation is conducted by CSVs [commercial surveillance vendors] and/or their customers,” with China-linked groups exploiting 10 such flaws for persistent access to edge devices[2][1]. Industry experts at Bromium warn that enterprises remain exposed for months pre-patch, as "deploying patches reduces attack surface, but this alon
🔄 Updated: 3/5/2026, 7:40:56 PM
**Google Threat Intelligence Group reports that nearly 50% of 2025's 90 exploited zero-days—specifically 43 out of 90—targeted flawed enterprise software and appliances like security tools, VPNs, networking gear, and virtualization platforms, up 15% from 78 in 2024.** These flaws, including remote code execution, privilege escalation, injection bugs, and memory safety issues (35% of total), often evade detection due to limited EDR monitoring on these privileged systems. Implications include heightened risks for long-term network access by state actors like China-linked groups (10 zero-days), urging vendors to prioritize memory-safe coding and segmentation.[2][7]
🔄 Updated: 3/5/2026, 7:50:59 PM
**NEWS UPDATE: Governments Urge Patching After Google Reveals 50% of 2025 Zero-Days Hit Enterprise Software**
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded to Google's report of 90 zero-day vulnerabilities exploited in 2025—43 targeting enterprise products like security appliances and VPNs—by adding CVE-2025-14174 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by January 2, 2026.[2][6] CISA's directive underscores the shift noted by Google, where enterprise tech rose to nearly 48% of attacks from 44% in 2024.[1][2] No further international regulatory actions were detailed i
🔄 Updated: 3/5/2026, 8:01:07 PM
Google's Threat Intelligence Group reported that **43 of the 90 zero-day vulnerabilities exploited in 2025 targeted enterprise products**, representing 48% of all tracked zero-days—a significant shift in attacker focus toward business infrastructure.[2] The most targeted enterprise systems were **security appliances, networking infrastructure, VPNs, and virtualization platforms**, which provide privileged network access and often lack endpoint detection and response (EDR) monitoring.[2] This trend reflects what Google describes as "a slow but sure movement in the landscape," with commercial surveillance vendors and their customers increasingly conducting zero-day exploitation against critical business infrastructure.[2]