Google Tracked 90 Zero-Day Exploits in 2025 With Enterprise Tech Hit Hardest

Cybersecurity operations center with threat alerts and network monitoring screens

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities actively exploited in 2025, up from 78 in 2024. For the first time, enterprise technology was the primary target, with 43 zero-days (48%) hitting enterprise software and appliances. China-linked espionage groups were the most prolific state-backed attackers, while commercial spyware vendors like NSO Group and Intellexa accounted for a growing share of the threat landscape.

Enterprise Tech Is Now the #1 Target

The shift toward enterprise targeting has been building since 2023, but 2025 made it undeniable. Of the 43 enterprise zero-days, security and networking devices bore the brunt — accounting for nearly half (21) of all enterprise-related exploits. Edge devices like routers, switches, and gateways were particularly popular targets, with 14 zero-days exploiting them specifically.

The reason is simple: many edge devices don't run endpoint security tools, making them attractive entry points for attackers who want to stay undetected.

China-Linked Groups Lead the Pack

China-linked cyber-espionage groups were the most prolific state-backed zero-day exploiters in 2025. Of the 42 zero-days Google could attribute to specific groups, seven were directly tied to Chinese state-sponsored actors, with another three attributed to "likely" Chinese government spies. These groups focused heavily on edge device exploitation across security and networking infrastructure.

"PRC-nexus espionage groups exploited the highest number of enterprise tech zero-days we attributed, in large part due to these groups' focus on edge device exploitation," said Google threat intelligence analyst James Sadowski.

Commercial Spyware Vendors Are Booming

For the first time in Google's tracking history, commercial surveillance vendors (CSVs) were attributed more zero-days than traditional government-backed spies. Companies like NSO Group, Intellexa, and Candiru — which sell spyware ostensibly for law enforcement — accounted for 15 zero-days, plus another three by "likely CSVs." That's 18 total, making them the single largest attributed category.

Despite government crackdowns and sanctions, the commercial spyware industry continues to thrive, with their tools regularly found on devices belonging to journalists, protesters, and political opposition leaders.

The Full Breakdown

Of the 42 attributed zero-days: 18 were exploited by commercial spyware vendors, 12 by state-sponsored espionage groups (10 linked to China), 9 by financially motivated cybercriminals, and 1 by a dual espionage-crime group. Microsoft products were the most targeted, followed by Google (11 zero-days) and Apple (8).

The Bottom Line

The zero-day landscape in 2025 tells a clear story: attackers are shifting from targeting consumers to targeting enterprises, and the commercial spyware industry is now a bigger zero-day threat than many nation-states. The 90 actively exploited zero-days represent just what Google could track — the real number is almost certainly higher. If your organization relies on edge devices, VPNs, or enterprise security appliances, assume they're being targeted. Patch aggressively, monitor for anomalies, and don't assume your perimeter devices are safe just because they don't run antivirus.