Google's 2025 Zero-Day Report: A 15% Increase in Exploits, with Enterprises in the Crosshairs
Executive Summary
In 2025, Google's Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild, marking a 15% increase from 2024. Notably, 43 of these targeted enterprise products such as security appliances, networking infrastructure, VPNs, and virtualization platforms, which often provide privileged network access and lack endpoint detection and response (EDR) monitoring. The most exploited categories included operating systems, with 24 zero-days in desktop OSs and 15 in mobile platforms. Memory safety issues accounted for 35% of all exploited zero-day vulnerabilities.
This trend underscores the growing focus of threat actors on enterprise systems, highlighting the need for organizations to enhance their security measures. The rise in zero-day exploits, particularly targeting critical infrastructure, emphasizes the importance of proactive vulnerability management and rapid patch deployment to mitigate potential risks.
Why This Matters Now
The increase in zero-day exploits targeting enterprise systems in 2025 highlights the urgent need for organizations to strengthen their cybersecurity defenses. As threat actors continue to focus on critical infrastructure, timely patching and comprehensive security strategies are essential to protect sensitive data and maintain operational integrity.
Attack Path Analysis
The adversary exploited zero-day vulnerabilities in enterprise software to gain initial access, escalated privileges by exploiting unpatched system flaws, moved laterally across the network by compromising additional systems, established command and control channels to maintain persistent access, exfiltrated sensitive data through covert channels, and ultimately disrupted operations by deploying ransomware.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited zero-day vulnerabilities in enterprise software to gain initial access to the network.
Related CVEs
CVE-2025-2783
CVSS 8.3A sophisticated zero-day vulnerability in Google Chrome allowing attackers to bypass the browser’s sandbox protection system, leading to potential remote code execution.
Affected Products:
Google Chrome – < 89.0.4389.90
Exploit Status:
exploited in the wildCVE-2025-53690
CVSS 9A ViewState deserialization vulnerability in Sitecore products allowing remote code execution when a sample machine key is used.
Affected Products:
Sitecore Sitecore XP – 9.0 and earlier
Sitecore Active Directory – 1.4 and earlier
Exploit Status:
exploited in the wildCVE-2025-61882
CVSS 9.8A zero-day vulnerability in Oracle E-Business Suite exploited in widespread extortion campaigns, allowing unauthorized data access.
Affected Products:
Oracle E-Business Suite – 12.2 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Exploitation for Defense Evasion
Exploitation for Privilege Escalation
Exploitation for Client Execution
Valid Accounts
External Remote Services
Application or System Exploitation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System and Software Security Vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Zero-day exploitation targeting security appliances and VPNs directly compromises network protection infrastructure, requiring immediate inline inspection and egress filtering capabilities.
Financial Services
High-value targets for commercial spyware and ransomware groups exploiting zero-days, demanding enhanced microsegmentation and threat detection to protect financial data.
Government Administration
Primary target for China-linked espionage groups using zero-day exploits against edge devices and networking equipment for persistent access to sensitive systems.
Information Technology/IT
Microsoft's 25 zero-days and enterprise software vulnerabilities expose IT infrastructure to remote code execution and privilege escalation through unpatched systems.
Sources
- Google says 90 zero-days were exploited in attacks last yearhttps://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/Verified
- Kaspersky discovers sophisticated Chrome zero-day exploit used in active attackshttps://www.kaspersky.com/about/press-releases/kaspersky-discovers-sophisticated-chrome-zero-day-exploit-used-in-active-attacksVerified
- ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerabilityVerified
- Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaignhttps://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitationVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely constrain the adversary's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and deploy ransomware, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversary's ability to exploit zero-day vulnerabilities may be constrained, limiting their initial access to the network.
Control: Zero Trust Segmentation
Mitigation: The adversary's ability to escalate privileges may be constrained, reducing their control over compromised systems.
Control: East-West Traffic Security
Mitigation: The adversary's ability to move laterally across the network may be constrained, limiting their access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: The adversary's ability to establish command and control channels may be constrained, reducing their persistent access to the network.
Control: Egress Security & Policy Enforcement
Mitigation: The adversary's ability to exfiltrate sensitive data may be constrained, limiting data loss.
The adversary's ability to deploy ransomware may be constrained, reducing the impact on business operations.
Impact at a Glance
Affected Business Functions
- Web Browsing
- Content Management
- Enterprise Resource Planning
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including customer information and financial records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement and contain potential breaches.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate the risk of exploitation through known vulnerabilities.
