0‑Day Exploitation in 2025: Overview and Trends for the Coming Year
📊 Analytics2026-03-20, 11:30
Google has prepared an overview of 0‑day vulnerabilities that were most actively exploited in the wild in 2025. The study covers a wide range of aspects, so we have summarized the key findings in three categories; the full report is available via the link.
General 0‑day statistics for 2025:
👾 43 actively exploited 0‑days were identified in enterprise software, compared to 36 in 2024, reflecting a shift in attackers' focus from end users to organizations.
👾 Insecure deserialization, memory corruption, access control flaws, and logical and architectural weaknesses were the main types of vulnerabilities.
👾 The number of attacks exploiting browser vulnerabilities dropped to a historic low, while exploitation of operating system and mobile platform vulnerabilities increased.
👾 Insecure deserialization, memory corruption, access control flaws, and logical and architectural weaknesses were the main types of vulnerabilities.
👾 The number of attacks exploiting browser vulnerabilities dropped to a historic low, while exploitation of operating system and mobile platform vulnerabilities increased.
Who exploited 0‑days:
🥷 State‑sponsored APT groups most frequently targeted network‑perimeter devices and security tools — these technologies accounted for more than half of all exploitation cases by such groups.
🥷 Commercial surveillance vendors (CSVs) continued to attack browsers and mobile devices, refining their techniques to bypass new protective mechanisms.
🥷 Campaigns involving BRICKSTORM malware demonstrated attackers' interest in stealing intellectual property for subsequent exploit development.
🥷 Chinese cyber espionage groups consistently remain the most active 0‑day exploiters among all state‑sponsored APT groups.
🥷 Financially motivated groups are showing increasing interest in developing 0‑day exploits and continue to invest in this area.
🥷 State‑sponsored APT groups most frequently targeted network‑perimeter devices and security tools — these technologies accounted for more than half of all exploitation cases by such groups.
🥷 Commercial surveillance vendors (CSVs) continued to attack browsers and mobile devices, refining their techniques to bypass new protective mechanisms.
🥷 Campaigns involving BRICKSTORM malware demonstrated attackers' interest in stealing intellectual property for subsequent exploit development.
🥷 Chinese cyber espionage groups consistently remain the most active 0‑day exploiters among all state‑sponsored APT groups.
🥷 Financially motivated groups are showing increasing interest in developing 0‑day exploits and continue to invest in this area.
Forecasts for 2026:
🔮 Expansion of attack techniques and emergence of new targets. As defensive mechanisms (especially in browsers and mobile devices) grow stronger, attackers will seek new targets and develop more complex exploit chains.
🔮 Use of infrastructure access for 0‑day research. Recent campaigns have shown that stealing source code can be leveraged to discover new vulnerabilities and conduct follow‑on attacks against the affected companies' clients.
🔮 AI will accelerate the race between attackers and defenders. It is expected to be widely used to automate reconnaissance, vulnerability discovery, and exploit development.
🔮 Expansion of attack techniques and emergence of new targets. As defensive mechanisms (especially in browsers and mobile devices) grow stronger, attackers will seek new targets and develop more complex exploit chains.
🔮 Use of infrastructure access for 0‑day research. Recent campaigns have shown that stealing source code can be leveraged to discover new vulnerabilities and conduct follow‑on attacks against the affected companies' clients.
🔮 AI will accelerate the race between attackers and defenders. It is expected to be widely used to automate reconnaissance, vulnerability discovery, and exploit development.
We have previously noted that attackers are adopting 0‑days much faster, reducing the time vendors and customers have to detect and patch them. Under these conditions, organizations must set clear priorities — assessing the most relevant threats, considering their attack surface and other contextual factors — to direct resources toward remediating the most critical weaknesses.
💬 Discuss
Vendors
Products
Published
2026-03-20, 11:30