Google says spyware makers and China-linked groups dominated zero-day attacks last year

Of the 90 zero-days GTIG tracked in 2025, 43 hit enterprise tech

by · The Register

Zero-day exploitation targeting enterprise tech products reached an all-time high last year, with China-linked cyber-espionage groups remaining the most prolific state-backed users, according to Google.

Google Threat Intelligence Group tracked 43 zero-days in enterprise software and appliances in 2025, representing 48 percent of all attacks against these previously undisclosed bugs. That's up from 36 (46 percent) in 2024. 

In total, the Chocolate Factory documented 90 zero-day vulnerabilities actively exploited last year, which is more than 2024's number (78), but still not as many as 2023's record high of 100

And while end-user product attacks still slightly outpace those targeting enterprise software and appliances, this most recent report is yet another indicator of attackers' shift since 2023 toward exploiting big orgs.

Security and networking devices were the hardest hit, comprising nearly half (21) of the enterprise-related zero-days last year. Google also noted that 14 enterprise tech zero-days in 2025 affected edge devices, such as routers, switches, and gateways, but added, "this figure likely underrepresents the true scale of activity due to inhibited detection capabilities."

Many of these edge devices don't run endpoint security tools - which is why they make very attractive targets for attackers.

Most of these enterprise attacks appear to be espionage related, and China-linked groups are the biggest offenders, Google's security sleuths told The Register

"Of the exploitation we were able to attribute, we identified a higher proportion of traditional state-sponsored espionage groups compared to CSVs or cybercrime groups," cyber threat intelligence analyst James Sadowski said.

This is noteworthy because in 2025, for the first time since they started tracking zero-day exploits, Google's threat intel group attributed more zero-days to CSVs - commercial surveillance vendors - than they did to traditional government-backed cyber snoops. 

CSVs are private companies such as NSO Group, Intellexa, and Candiru that develop and sell spyware and exploits, ostensibly to government agencies and law enforcement for legal intel gathering and crime-fighting assistance. It's not always used for these purposes, however, and spyware is sometimes found on devices belonging to journalists, protesters, and political opposition leaders.  

Of the 90 total zero-days, GTIG was able to attribute 42 of them to a particular type of group: 15 of these were exploited by CSVs, plus another three by "likely CSVs," 12 by state-sponsored espionage groups (seven from China), another three by "likely" government spies (also China), nine by financially motivated cyber criminals, and one by dual spies-slash-cybercrims.

Google Threat Intelligence Group security engineer Clement Lecigne declined to name the most prolific CSVs in 2025. "We continue to observe a variety of these vendors exploiting zero-days in their spyware, but aren't able to share specifics at this time," he told The Register, noting that his fellow bug hunters have previously discussed many of the most active CSVs in earlier reports

When it comes to enterprise-tech zero-days, however, government-linked spies - not CSVs - take the lead. 

"In particular, PRC-nexus espionage groups exploited the highest number of enterprise tech zero-days we attributed, in large part due to these groups' focus on edge device exploitation and broader security and networking devices," Sadowski said. 

"Cyber espionage and intelligence collection, either via CSVs or traditional state-sponsored groups, drive a large volume of zero-day exploitation we have been able to attribute," he added. "The targeting of technology companies in the Brickstorm campaign also demonstrated the potential theft of valuable IP to further the development of zero-day exploits."

Plus, in what will likely come as no surprise to anyone who celebrates Patch Tuesday, Microsoft saw the most total zero-days exploited last year. Google (11) and Apple (8) round out the top three. ®

Enterprise tech dominates zero-day exploits with no signs of slowdown: As Big Tech gets used to the pain, smaller vendors urged to up their gameConnor Jones, 29 Apr 2025The spyware business is booming despite government crackdowns'Almost zero data being shared across the industry on this particular threat,' we're toldJessica Lyons, 07 Feb 2024Ex-L3Harris exec jailed 7 years for selling exploits to Russia: Former Trenchant manager profited millions from cyber tools reserved for the USConnor Jones, 25 Feb 2026Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover: A rare joint alert from all five spy agencies means serious businessConnor Jones, 26 Feb 2026