Ever wonder why your IT budget keeps ballooning, yet breaches still happen like clockwork?
Google’s Threat Intelligence Group just dropped their 2025 zero-days review, tallying 90 vulnerabilities exploited in the wild. That’s down from 2023’s record 100, sure, but up from 2024’s 78—and stuck in that cozy 60-100 rut we’ve seen for years. Stabilization? Call it what you want; it feels more like the new normal for a world where patching never ends.
And here’s the kicker that’s got me rubbing my eyes: enterprises now eat nearly half of these zero-days. Forty-three of ‘em, or 48%—all-time highs. Browsers? They’re finally catching a break, dropping to historic lows in exploitation. OS bugs, though? Picking up the slack.
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
State-sponsored crews—think PRC nexus like UNC5221 and UNC3886—are laser-focused on edge devices and security appliances. Over half their zero-day hits land there, prying open networks for espionage gold. These aren’t script kiddies; they’re pros turning your firewall into a welcome mat.
Why Are Enterprises Suddenly Zero-Day Central?
Look, I’ve covered this beat for two decades, from the Conficker worm days to Log4Shell madness. Back then, browsers were the Wild West—Flash holes galore, easy RCE for anyone with a phishing email. Now? Vendors like Google and Apple have layered on mitigations that make simple exploits a joke. So attackers pivot. Hard.
Enterprises? They’re a sitting duck buffet. Interconnected software stacks, sprawling networks, and those ‘trusted’ edge boxes everyone forgets to patch. Networking gear, security appliances—48% of 2025’s zero-days. It’s not hype; it’s math. One weak link, and boom: privileged access to data troves.
Financial crooks aren’t sleeping either. Nine zero-days attributed to them, nearly matching 2023 highs. Ransomware gangs chaining bugs in enterprise tools? That’s not new, but the proportion’s climbing. Who’s really winning here—the patch teams burning midnight oil, or the bad guys cashing Bitcoin?
Commercial surveillance vendors (CSVs)—those shadowy mercs selling exploits to the highest bidder—flipped the script this year. For the first time, Google pins more zero-days on them than state spies. Mobile and browser chains, beefed up to dodge mitigations. They’re lowering the bar for any dictator with a checkbook.
Mobile zero-days bounced back to 15 after dipping low. Why? Complexity. Attackers chain more bugs or hit lower privileges smarter. Vendors evolve defenses; crooks just get craftier. It’s an arms race, and we’re all collateral.
Is PRC Still the Zero-Day Kingpin?
You bet. PRC groups dominated again, consistent for a decade. Edge devices for persistence—strategic targets like tech firms ripe for IP theft. Remember BRICKSTORM malware? Multiple intrusions, hitting tech cos to steal exploit dev secrets. Vicious cycle: steal zero-days to build more zero-days.
But CSVs stealing the show? That’s my unique worry—no one’s yelling about it enough. These vendors democratize pain, selling to non-state actors who couldn’t brew their own exploits. It’s like the dark web’s exploit Etsy, and 2025 proved demand’s booming.
Forecast for 2026? More of the same, expanded. Attack surfaces balloon with apps and devices; one hole’s enough. And AI? Google’s all-in: it’ll ‘accelerate the race,’ automating attacks, scaling defenses. Sounds sexy, but I’ve seen this movie—AI hype from 2017, remember? It’ll fuzz vuln hunting, sure, but also arm script kiddies with auto-phishers. Defenders get tools too, yet history says attackers adapt faster. My bold call: zero-days hit 100+ by 2027, AI just pours gas on the fire.
Here’s the thing—enterprises, wake up. That 48% stat isn’t abstract; it’s your SOC team drowning in alerts. Edge trust? Kill it. Patch religiously, segment networks like your life’s on it (it is).
Financial motives tying records shows even randos can play. Nine exploits for profit—ransomware’s zero-day habit growing. Browsers safer? Good, but don’t sleep on OS upticks.
So, stabilization at 90-ish zero-days? Nah, it’s a plateau before the climb. Vendors mitigate browsers; attackers feast on enterprise sprawl. Who’s making bank? CSVs, state actors, ransomware crews. You? Paying the patching piper.
Will AI Actually Stop the 2026 Zero-Day Surge?
Google says it’ll dynamize threats—attackers automate, defenders scale. Optimistic spin. But let’s cut the BS: AI’s dual-use, and blackhats code faster. We’ve got tools like fuzzers today; tomorrow, it’s agentic malware hunting vulns solo.
My parallel? Early antivirus arms race—signatures worked till polymorphic viruses laughed them off. AI defenders? Same fate if models lag. Prediction: 2026 sees first AI-discovered zero-day chains sold on dark markets. Buckle up.
Edge devices as entry points—half of spy exploits. Security appliances? Ironic. Your ‘protection’ layer’s the breach vector. Time to rethink trust.
Mobile rebound to 15? Chains lengthening, or single precise hits. Attackers adapting; vendors reacting. Eternal dance.
Bottom line: 2025’s 90 zero-days scream ‘fix your edges, enterprises.’ PR spin calls it ‘stabilization’—I call it stagnation. Who’s profiting? Not you.
**
🧬 Related Insights
- Read more: Kubernetes Token Heists Spike 282%: Attackers’ Fast Path to Your Cloud Core
- Read more: $21 Billion Vanishes: FBI’s Grim Cybercrime Tally for 2025
Frequently Asked Questions**
What were the top targets for 2025 zero-days? Enterprises (48%), especially edge devices and security appliances. Browsers hit lows.
Who exploited the most zero-days in 2025? CSVs edged out state sponsors for the first time; PRC groups still lead espionage.
How will AI impact zero-days in 2026? It’ll speed up both attackers and defenders, likely expanding the threat surface with automated exploits.
