Attacks exploiting zero-day vulnerabilities in enterprise technology reached record levels in 2025. Cyber espionage groups linked to China appear to be particularly active in exploiting these vulnerabilities, while commercial spyware companies are playing a greater role.
This is according to research by Google Threat Intelligence Group. In total, they documented 90 zero-day vulnerabilities that were actively exploited last year. That number is higher than in 2024, when 78 were identified, but remains below the record of 100 set in 2023. Although attacks on end-user products are still slightly more common, the report points to a shift toward enterprise technology.
According to the researchers, a total of 43 zero-days were exploited in enterprise software and appliances in 2025. That represents 48 percent of all observed attacks using these vulnerabilities. In 2024, there were 36 cases, accounting for 46 percent.
Security and network equipment most targeted
Security and network equipment were hit the hardest. A total of 21 of the enterprise-related zero-days related to these systems. In addition, fourteen vulnerabilities affected so-called edge devices, such as routers, switches, and gateways, according to The Register. According to Google, the actual number is likely higher because such devices often do not run endpoint security and are therefore more difficult to monitor.
This type of infrastructure is an attractive target because successful exploitation often provides access to broader corporate networks. Many of these attacks appear to be aimed at espionage. Cyber espionage groups linked to China are cited by researchers as the most active state actors.
Of the ninety zero-days, Google was able to attribute 42 to specific types of attackers. Fifteen of these were used by commercial spyware companies, with another three cases likely attributable to such parties. Twelve exploits were linked to state-sponsored espionage groups, seven of which originated in China. In addition, there were three suspected state-linked attacks and nine cases involving financially motivated cybercriminals, The Register adds.
It is striking that in 2025, commercial surveillance suppliers were linked to zero-day exploitation more often than traditional state actors for the first time. These companies develop spyware and exploit chains that are usually sold to government agencies or investigative services.
When looking specifically at enterprise technology, state actors still appear to be dominant. Chinese espionage groups in particular are said to exploit vulnerabilities in network and security equipment relatively often.
The targets also show a clear trend. Microsoft products were most frequently involved in zero-day exploitation in 2025, followed by products from Google and Apple. According to researchers, this underscores how important widely used software platforms remain for attackers.
Looking ahead to 2026, security researchers expect enterprise infrastructure to remain a key target. Devices at the edge of networks, such as gateways and network security systems, offer attackers an efficient way to penetrate organizations.