Google says spyware makers and China-linked groups dominated zero-day attacks last year
Summary
Google’s Threat Intelligence Group (GTIG) reported a rise in zero-day exploitation in 2025, documenting 90 actively exploited zero-days — up from 78 in 2024 but below 2023’s peak of 100. Nearly half of those (43) targeted enterprise technology such as security and networking devices. Commercial surveillance vendors (CSVs) and China-linked state espionage groups were the most notable actors: CSVs accounted for a large share of attributed exploits overall, while PRC-nexus state groups led when it came to enterprise-tech zero-days, especially against edge and networking kit. Microsoft was the most-targeted vendor, followed by Google and Apple.
Key Points
- GTIG tracked 90 zero-day vulnerabilities actively exploited in 2025, versus 78 in 2024 and 100 in 2023.
- 43 zero-days (48%) hit enterprise software and appliances in 2025, up from 36 (46%) in 2024.
- Security and networking devices were hardest hit (21 enterprise zero-days); edge devices (routers, switches, gateways) accounted for 14 but likely undercount real activity.
- Attribution of 42 zero-days: ~18 linked to commercial surveillance vendors (CSVs or likely CSVs), ~15 to state-sponsored espionage (including seven attributed to China), nine to financially motivated criminals, and one mixed-use case.
- Overall, CSVs were prominent exploiters of zero-days in 2025, but for enterprise-tech targets traditional state-linked groups — especially PRC-associated actors — dominated.
- GTIG declined to name the specific CSVs observed; prior reporting has highlighted vendors like NSO, Intellexa and Candiru in related contexts.
- Microsoft products saw the most zero-days exploited, with Google and Apple rounding out the top three vendors.
Content summary
Google’s report emphasises a continued shift towards targeting larger organisations and infrastructure since 2023. Attackers favour devices and appliances that often lack endpoint security — edge routers, switches and dedicated networking kit — making them attractive attack surfaces. GTIG’s analysis shows both private spyware companies and nation-state actors using zero-days: CSVs are highly active across various targets, while PRC-linked groups concentrated on enterprise technologies. The Brickstorm campaign and similar operations also underscore how theft of IP can feed the development of further zero-day capabilities. GTIG’s attribution covers a subset of cases (42 of 90), reflecting detection and visibility challenges.
Context and relevance
This matters because enterprise infrastructure compromise can give attackers long-term access, data exfiltration opportunities and routes to pivot across networks. The prominence of CSVs shows a thriving private exploit market feeding both law-enforcement-style and abusive surveillance. Equally, state-backed focus on edge and networking devices underlines geopolitical intelligence priorities and raises the stakes for organisations running such kit. For security teams, the report reinforces why patching, network segmentation, visibility on edge devices and vendor-focused risk management are essential. It’s part of a broader industry trend: more zero-days, and a growing blend of private and state actors weaponising them.
Why should I read this?
Short version: if you run or secure networks, routers, firewalls or any enterprise kit, this is exactly the kind of wake-up call you need. Google lays out who’s using zero-days, where they’re hitting, and why edge/networking kit is suddenly so attractive. Saves you digging through the long report — but the detail matters if you want to prioritise patches and harden the right gear.