Google Threat Intelligence Group has said it tracked 90 vulnerabilities that were disclosed in 2025 and exploited as zero-days, a total above 2024’s 78 and within the 60-to-100 range the company says has held over the last five years.
The search engine firm reported that enterprise technologies accounted for 43 of the 90 zero-days, or 48%, the highest raw number and share it has recorded.
It also said commercial surveillance vendors, or CSVs, surpassed traditional state-sponsored cyber espionage groups in attributed zero-day exploitation for the first time since it began tracking the category.
Enterprise technologies took nearly half the hits
On enterprise targeting, it said the sustained rise reflects the value attackers place on infrastructure that provides privileged access and broad operational reach across networks and data assets.
Enterprise targeting was especially visible in security, networking and edge-related products. Google said 21 of the 43 enterprise zero-days affected security and networking products.
It said routers, switches and security appliances remain attractive because they sit at the perimeter, hold privileged positions inside enterprise environments and usually lack endpoint detection and response coverage, limiting visibility once they are compromised.
Google identified 14 zero-days affecting edge devices in 2025, but also said that figure likely understates the real scale of activity because detection on those platforms remains inhibited.
That blind spot has already drawn direct government attention. In February 2025, CISA and partner agencies warned that foreign adversaries routinely exploit software flaws in network edge devices to infiltrate critical infrastructure networks and systems, and published mitigation guidance for network edge devices and other internet-facing assets.
State-backed actors and the PRC pattern
The state-backed picture did not disappear. Google said PRC-nexus groups remained the most prolific traditional espionage users of zero-days in 2025, continuing a pattern it says has held for nearly a decade.
It attributed at least 10 zero-days to PRC-linked groups including UNC5221 and UNC3886, both of which continued to focus heavily on security appliances and edge devices as access points for persistent operations against strategic targets.
Financially motivated groups and the Oracle example
Financially motivated actors also remained active in the same ecosystem. Google said it attributed nine zero-days in 2025 to confirmed or likely financially motivated groups, nearly matching the total volume it recorded in 2023 and representing a larger share of all attributed vulnerabilities in 2025.
One of the clearest examples was the Oracle E-Business Suite activity Google linked to threat actors associated with the CL0P extortion brand. Google said exploitation began as early as Aug. 9, 2025, with suspicious activity dating back to July 10, well before a patch was made available.
Stolen source code as a zero-day pipeline
Google also used the review to highlight a broader risk for technology companies and their customers. Its summary said intrusions tied to BRICKSTORM malware in 2025 demonstrated the potential theft of valuable intellectual property to support future zero-day development.
The company’s forecast section went further, saying stolen source code and proprietary development documents could help actors discover vulnerabilities in a vendor’s software, creating risk not only for the initial victim but also for downstream customers.
The AI acceleration problem
The report also lands as security vendors warn that intrusion speed and AI-related abuse are increasing.
CrowdStrike said the average eCrime breakout time fell to 29 minutes in 2025, with the fastest observed breakout taking 27 seconds, while also reporting that adversaries exploited legitimate GenAI tools at more than 90 organizations.
Thales, in its 2026 Data Threat Report, said 70% of organizations ranked the speed of change within AI ecosystems as their top AI risk, and 61% said their AI applications were already being targeted.
Google’s 2026 forecast says that pressure is likely to intensify. The company said AI will accelerate the race between attackers and defenders by speeding reconnaissance, vulnerability discovery and exploit development for adversaries, while also helping defenders use agentic tools to discover and patch flaws before exploitation.