Overview
- Google’s Threat Intelligence Group logged 90 zero‑days exploited in 2025, with 43 targeting enterprise software and appliances and nearly half of those hitting security and networking devices.
- Microsoft was the most affected vendor with 25 zero‑days, followed by Google with 11 and Apple with 8, while enterprise suppliers including Cisco, Fortinet, Ivanti and VMware were frequent targets.
- GTIG attributed first exploitation of 42 flaws: 15 to commercial surveillance vendors (plus three likely), 12 to state‑sponsored groups (plus three likely), and nine to financially motivated criminals.
- Among state actors, China‑linked espionage groups were the most active and concentrated on edge and security appliances to maintain persistent access, including activity by UNC5221 and UNC3886.
- Exploitation shifted toward operating systems and mobile platforms as browser zero‑days fell to a record low, and GTIG forecasts AI will accelerate exploit discovery in 2026 while also boosting defenders’ capabilities.