Google says 90 zero-days exploited in 2025 as commercial vendor activity grows

Google says 90 zero-days exploited in 2025 as commercial vendor activity grows

Summary

Google’s Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild during 2025, up from 78 in 2024. GTIG could directly attribute exploitation for 42 of those zero-days: around 18 were definitively or likely used by commercial surveillance vendors, and roughly 15 by state-sponsored espionage groups from countries including China, Russia and the UAE.

The report shows a split in targeting: state-backed actors prioritised edge devices and security appliances (routers, firewalls) to maintain persistent network access, while commercial surveillance vendors mainly focused on mobile devices and browsers to sell intrusion tools for personal devices. Microsoft products saw the most zero-days, followed by Google and Apple.

Key Points

• GTIG recorded 90 exploited zero-days in 2025, up from 78 in 2024.
• 42 zero-days were directly attributable; ~18 to commercial surveillance vendors and ~15 to state-sponsored espionage groups.
• State actors targeted edge devices and security appliances to retain persistent access to organisations’ networks.
• Commercial surveillance vendors concentrated on mobile devices and browsers; multi-vulnerability exploit chains increased mobile zero-days.
• Chinese state-linked groups were the most prolific users of zero-days and shifted to exploiting vulnerabilities closer to public disclosure.
• Financially motivated criminals also developed zero-days; overlaps exist between criminal and state-linked actors.

Context and relevance

This report highlights a changing zero-day ecosystem where commercial spyware firms are expanding the availability of sophisticated exploits previously confined to nation-states. That means more actors can buy or reuse powerful vulnerabilities, compressing the time between disclosure and widespread exploitation. The focus on edge devices underscores a persistent defensive gap: many routers and security appliances lack EDR-style protections and are attractive soft targets for long-term access.

For security teams, the findings reinforce two priorities: harden and inventory perimeter/edge kit that may not get regular updates, and treat mobile/browser platforms as high-risk targets because exploit chains are becoming more complex and commercialised.

Why should I read this?

Short version — read it if you care about real-world risk: zero-days are getting cheaper and easier to weaponise, and that shifts the threat from pure espionage to something that can quickly affect businesses and individuals. It’s a useful snapshot of who is doing what and why your edge devices and phones might be the weak links right now.

Source

Source: https://therecord.media/google-says-90-zero-days-exploited-apt-spyware-vendors