Cybercriminals used almost 90 zero-day vulnerabilities with active exploitation last year.

Brief summary of the GTIG report for 2025

Metric Value
Total zero-days exploited in 2025 90 (15% more than in 2024)
Vulnerabilities in corporate software and devices almost half of all cases
Most frequent attack targets Microsoft – 25, Google – 11, Apple – 8, Cisco & Fortinet – 4 each, Ivanti & VMware – 3 each

What are zero-days
A zero-day is a vulnerability that an attacker exploits before the product vendor becomes aware of it and releases a patch. Such bugs are prized by hackers because they allow full control over a system: bypassing authentication, executing code remotely, or escalating privileges.

Division by target type
* End‑user platforms – 47 cases (≈52%)
* Corporate products – 43 cases (≈48%)

In the corporate sphere the most frequently attacked categories are:
1. Security devices
2. Network equipment and infrastructure
3. VPN services
4. Virtualization platforms

Key vulnerability categories
Category % of total zero-days
Memory issues 35%
Desktop OS errors 24%
Mobile OS errors 15%

Below is the number of exploits in browsers: 8. This is sharply lower than in previous years, which may indicate improved browser protection and/or more covert evasion methods.

New players
* Commercial spyware vendors became the largest exploiters of undocumented vulnerabilities, surpassing state groups.
* In 2025 the most active state actors were Chinese espionage groups, using 10 zero-days, primarily on peripheral and network devices.

Financial motivation
This year saw an increase in attacks driven by money (ransomware, data theft). The share of such attacks was 9 zero-days.

Forecast for 2026 and Google’s recommendations
1. AI as a tool – automation of vulnerability discovery and acceleration of exploit creation will keep the exploitation level high.
2. To reduce risk:
* Minimize attack surface (remove unnecessary services, limit user privileges).
* Continuously monitor system behavior anomalies.
* Ensure rapid update cycles and incident response.

Thus, 2025 showed increased use of zero-days, especially among corporate products and commercial spyware vendors, while maintaining high interest in memory and OS vulnerabilities. Expectations for 2026 remain high, but the company offers concrete measures to protect against them.