Google Threat Intelligence Group (GTIG) just published their annual 0-day review covering 90 vulnerabilities exploited in the wild in 2025. The total sits between 2024's 78 and 2023's record 100, but the composition of who is exploiting what, and where, has shifted significantly.
Here are the five findings I found the most insightful.
1. Commercial surveillance vendors now lead 0-day exploitation.
For the first time since GTIG began tracking, commercial surveillance vendors (CSVs) were attributed more 0-days than traditional state-sponsored espionage groups. If you have the budget, you have the exploit. Intellexa, for example, continued adapting its operations and delivering spyware to high-paying customers throughout 2025.
2. Enterprise targeting hit an all-time high: 48% of all 0-days.
43 out of 90 0-days targeted enterprise technologies. Half of those (21) hit security and networking appliances specifically. The devices you bought to protect your network are the entry point. Edge devices like routers, switches, and security appliances typically lack EDR, creating blind spots where compromises go undetected.
3. China doubled its 0-day usage to 10, with faster exploit sharing across groups.
PRC-nexus groups used at least 10 0-days in 2025, double the 2024 count. UNC5221 continued targeting Ivanti Connect Secure VPNs (CVE-2025-0282). UNC3886 went after Juniper routers (CVE-2025-21590). The focus remained on edge and networking devices where persistent access is hardest to detect. But the more concerning trend is operational: GTIG observed that PRC-nexus groups are increasingly sharing exploits among otherwise separate clusters and exploiting vulnerabilities closer to public disclosure. The gap between a vulnerability going public and mass exploitation by multiple Chinese groups is shrinking.
In a related development, the BRICKSTORM malware campaign targeted technology companies to steal source code and proprietary development documents. GTIG warns this represents a new paradigm: IP theft as a 0-day development pipeline. Stolen vendor source code enables discovery of new vulnerabilities in that vendor's products, threatening not just the victim but their downstream customers.
4. Financially motivated actors exploited 9 0-days, nearly doubling 2024.
Nine 0-days were attributed to confirmed or likely financially motivated groups, nearly doubling 2024's five. FIN11/CL0P exploited CVE-2025-61882 and CVE-2025-61884 as 0-days against Oracle E-Business Suite customers as early as August 2025, weeks before patches were available. The subsequent CL0P extortion campaign hit numerous organizations. RomCom (UNC2596) exploited a 0-day in WinRAR (CVE-2025-8088) to deploy backdoors.
5. Browser hardening is working. Attackers adapted by targeting OS and GPU drivers.
Browser 0-days decreased significantly from the browser-heavy years of 2021 and 2022, while OS 0-days hit 44% of all exploitation (39 out of 90), up from 40% in 2024. Browser sandbox escapes in 2025 exploited components of the underlying operating system or hardware — including GPU drivers (CVE-2025-6558) — rather than the browser sandbox itself. Attackers route around the hardened front door.
My take:
- Geopolitical tensions are driving demand for 0-day capabilities. Governments are increasingly turning to CSVs to augment their internal state-sponsored programs. This likely explains the growth of CSV-attributed 0-days.
- Consumer 0-day prices keep rising as Apple, Google, and Microsoft harden their platforms. An iPhone 0-click costs $2-2.5M and is trending up. Enterprise appliance vendors haven't hardened at the same pace, so a Cisco or Fortinet RCE still goes for around $100K. As the price gap widens, attackers shift to the better ROI: persistent access to an entire network for 20-50x less than one person's phone.
- VPNs, firewalls, and security appliances are an increasingly likely point of compromise — a significant shift from being the most trusted infrastructure. Those devices typically have no EDR agent and limited native forensic capabilities, making compromises harder to detect. It's a good time to rethink patching cycles for edge infrastructure and update incident response playbooks.
- The BRICKSTORM campaign shows that source code is a 0-day pipeline. Stolen product source code lets attackers find new vulnerabilities in that vendor's products, threatening not just the victim but every downstream customer.
- Two security vendor conversations to have now. Ask how they protect their own source code and development environments. Push your appliance vendors for built-in integrity checking tools, process-level and filesystem-change logging, and signed firmware with runtime attestation.