A total of 90 zero-day vulnerabilities were exploited in the wild in 2025, according to a report released Thursday by Google Threat Intelligence Group.
Of that total, almost half of the exploited vulnerabilities were used against enterprise-grade technology, marking an all-time high.
Exploitation from state-sponsored groups targeted networking and security tools with a strong emphasis on edge devices, which often lack endpoint detection and response capabilities, according to GTIG researchers.
China-nexus groups remain the most prolific state-sponsored groups, with a long history of detailed knowledge of vulnerable devices.
“They have a significant zero-day development ecosystem that includes industry, academia, and government,” John Hultquist, chief analyst at GTIG, told Cybersecurity Dive.
At least 10 zero-days were attributed to China-nexus espionage groups in 2025, which is double the figure from 2024, wrote GTIG researchers. Among the notable campaigns, a threat actor tracked as UNC3886 exploited an improper isolation flaw in Juniper MX routers, tracked as CVE-2025-21590.
A China-nexus group tracked as UNC5221 was more recently linked to attacks involving Brickstorm malware.
The report warns that AI will become increasingly more important to scale and accelerate threat activity. Hackers will increasingly use AI to conduct reconnaissance, discover new vulnerabilities and develop exploits.
“Vulnerability discovery and weaponization and exploit deployment can all be enhanced with these capabilities, creating potential for exploitation to be faster than ever before,” Casey Charrier, senior vulnerability intelligence analyst at GTIG, told Cybersecurity Dive.
In a notable shift, GTIG researchers said commercial surveillance vendors were involved in more than one-third of zero-day attacks, surpassing state-sponsored espionage groups for the first time. Out of 42 unique zero-days that were attributed to specific actors, surveillance vendors were involved in 15, while state-linked groups were involved in 12.
“These vendors are primary drivers of the zero-day market, often offering turn-key solutions for the entire attack life cycle,” said James Sadowski, CTI analyst at Google.
These vendors develop what is commonly known as spyware and focus largely on exploiting mobile devices and web browsers.
