Google Warns Zero-Day Attacks on Enterprise Software Hit Record High in 2025
Google Threat Intelligence Group reports 90 zero-day vulnerabilities exploited in the wild in 2025, with 48% targeting enterprise software and appliances, marking a structural shift in the threat landscape.
The number of zero-day vulnerabilities actively exploited against enterprise software and appliances reached an all-time high in 2025, according to a new report from Google Threat Intelligence Group (GTIG). The report, released March 5, tracked 90 zero-days that were exploited in the wild before patches were available, up from 78 in 2024 but below the record 100 seen in 2023. The findings underscore a fundamental shift: attackers are increasingly targeting enterprise infrastructure rather than just end-user platforms.
Of the 90 zero-days tracked, 43 (48%) targeted enterprise software and appliances, up from 36 (46%) in 2024. GTIG described this as "a structural change in the threat landscape, reflecting the value of tools that enable privilege escalation, high-level access and broad scale of impact." Nearly half of those enterprise-focused exploits—21 in total—targeted security and networking solutions such as routers, switches, and security appliances. These devices are attractive because they sit at the network edge, often receive less scrutiny, and provide a privileged foothold for lateral movement.
End-user platforms still accounted for the majority of zero-days at 52% (47), but the gap is narrowing. Operating systems were the most targeted end-user category, with 24 zero-days (27%), and Microsoft Windows was the most targeted OS. Mobile operating systems saw a notable increase, with 15 zero-days in 2025 compared to nine in 2024. Browser-based zero-days, however, dropped to a historic low of eight (9%), which GTIG attributed to improved browser security and better operational security by attackers making their activity harder to track.
Financially motivated threat groups nearly doubled their use of zero-days in 2025, with nine linked to such actors—including two ransomware operations—compared to five in 2024. Nation-state backed hacking operations, particularly those from China, continued to be heavy users of zero-day exploits. GTIG warned that defenders should prepare for when, not if, they are targeted, emphasizing that system architectures should be designed with inherent segmentation and least-privilege access.
The report also highlighted the importance of continuous monitoring and anomaly detection. "While not preventative, continuous monitoring and anomaly detection, within both systems and networks, paired with refined and actionable alerting capabilities is a real-time way to detect and act against threats as they occur," Google said. The findings reinforce the need for organizations to maintain real-time asset inventories and adopt defense-in-depth strategies as zero-day exploitation becomes more sophisticated and enterprise-focused.