Google Threat Intelligence Group Warns Enterprise Systems Now Dominate Global Zero-day Attacks

Enterprise technologies have emerged as the primary target for zero-day exploitation, according to new research from the Google Threat Intelligence Group (GTIG), signalling a continued shift away from traditional browser-based attacks toward enterprise infrastructure and edge devices. In its report, “Look What You Made Us Patch: 2025 Zero-Days in Review,” GTIG identified 90 zero-day vulnerabilities exploited in the wild […]

Security Operations | Threat Intelligence

Posted: Wednesday, Mar 11

KBI.Media
$
Google Threat Intelligence Group Warns Enterprise Systems Now Dominate Global Zero-day Attacks

Google Threat Intelligence Group Warns Enterprise Systems Now Dominate Global Zero-day Attacks

Enterprise technologies have emerged as the primary target for zero-day exploitation, according to new research from the Google Threat Intelligence Group (GTIG), signalling a continued shift away from traditional browser-based attacks toward enterprise infrastructure and edge devices.

In its report, “Look What You Made Us Patch: 2025 Zero-Days in Review,” GTIG identified 90 zero-day vulnerabilities exploited in the wild during 2025. While this is slightly lower than the record 100 incidents observed in 2023, the figure remains within a now-consistent range of 60–100 annual zero-day exploits, suggesting the global threat landscape has stabilised at a persistently high level.

The most notable trend is a significant pivot toward enterprise platforms. According to the analysis, 48 percent of all zero-days exploited in 2025 targeted enterprise technologies, including security appliances, networking infrastructure, and other business-critical systems.

Edge Devices Emerge as Prime Targets

Attackers are increasingly focusing on enterprise edge infrastructure, including firewalls, gateways, and network management platforms, many of which sit at the perimeter of corporate networks.

These systems often lack traditional endpoint detection and response (EDR) tools, making them attractive entry points for attackers seeking persistent access into corporate environments.

GTIG researchers note that operating system vulnerabilities and enterprise security products are now being exploited more frequently than browsers, reversing trends seen earlier in the decade when web browsers were the dominant target.

The report highlights that espionage groups — particularly those linked to nation states — are prioritising edge devices and security appliances to establish long-term footholds inside networks.

Commercial Spyware Firms Surpass Nation-state Actors

In a notable development, GTIG found that commercial surveillance vendors (CSVs) were responsible for more attributed zero-day exploitation in 2025 than traditional government-linked cyber espionage groups.

This marks the first time such companies have surpassed state actors in zero-day activity tracked by the group.

While government-backed operations remain highly active, the research indicates that zero-day capabilities are increasingly being commercialised, allowing a broader range of customers to acquire sophisticated exploitation tools.

Among state-linked actors, cyber espionage groups connected to the People’s Republic of China (PRC) were identified as the most prolific users of zero-day vulnerabilities, frequently targeting enterprise infrastructure to maintain long-term access inside victim networks.

Intellectual Property Theft Emerges as a New Objective

Beyond espionage and access operations, researchers identified a developing trend in which attackers are targeting technology companies themselves, with the aim of stealing intellectual property such as source code.

Several intrusions linked to BRICKSTORM malware highlighted this shift. In these cases, the compromise of technology firms raised concerns that stolen code or internal engineering data could potentially be used to accelerate the discovery or development of future zero-day exploits.

This suggests a new strategic approach: instead of only exploiting vulnerabilities, threat actors may also be building their own exploit pipelines using stolen vendor intelligence.

AI Expected to Accelerate the Arms Race

Looking ahead, GTIG researchers warn that artificial intelligence will likely accelerate the pace of vulnerability discovery and exploitation.

AI-assisted tools could dramatically speed up reconnaissance, code analysis, and exploit development, lowering the barriers for attackers and increasing the volume of vulnerabilities discovered.

For defenders, this means the window between vulnerability discovery and exploitation could shrink even further.

The report predicts that organisations will need stronger monitoring, faster patching cycles, and improved detection capabilities to keep pace with the evolving threat environment.

A Shifting Zero-day Landscape

Taken together, the findings reinforce a broader shift in cyber-attack strategy. Rather than focusing primarily on end-user devices or browsers, attackers are increasingly targeting the infrastructure that organisations depend on to run their networks and security systems.

As enterprise platforms become more complex and interconnected, they are also becoming more attractive targets for sophisticated attackers seeking deeper and more persistent access.

For security teams, the message is clear: defending the enterprise edge and critical infrastructure is now just as important as protecting endpoints.