← Back to Security Blog
Research & Analysis March 7, 2026 9 min read

Google Zero-Day Report 2025: 90 Exploited Flaws, Enterprise Targeting Surges

Google Threat Intelligence Group's annual zero-day analysis reveals 90 vulnerabilities exploited in the wild during 2025 — with nearly half targeting enterprise security products, networking appliances, and cloud infrastructure. Spyware vendors and China-linked APTs dominate attribution. Meanwhile, a 3.4-million-patient healthcare breach and new fileless malware campaigns demonstrate why continuous vulnerability scanning is no longer optional.


📊 Google's 2025 Zero-Day Landscape: Key Numbers

💡 Annual Zero-Day Tracking by GTIG

Google Threat Intelligence Group (GTIG) tracks zero-day vulnerabilities exploited in the wild each year. The 2025 report marks one of the highest years on record, with 90 zero-days confirmed exploited — up from 73 in 2024 and approaching 2021's peak of 97.

The Enterprise Shift

The most significant finding: approximately 45 of the 90 zero-days (50%) directly targeted enterprise products rather than consumer endpoints. This represents a dramatic shift from previous years when browsers and mobile operating systems dominated the zero-day exploitation landscape.

Category Zero-Days (2025) Percentage Trend vs 2024
Enterprise Security Products ~20 22% 🔺 Up significantly
Networking/VPN Appliances ~15 17% 🔺 Up
Cloud/SaaS Platforms ~10 11% 🔺 Up
Mobile OS (iOS/Android) ~18 20% 🔻 Down
Browsers ~12 13% 🔻 Down
Desktop OS ~15 17% ➡️ Stable

Attribution: Who's Exploiting Zero-Days?

Less than half of the 90 zero-days could be attributed to specific threat actors, but the leading groups paint a clear picture:

⚠️ Top Zero-Day Exploiters in 2025

1. Commercial spyware vendors — NSO Group, Intellexa, and newer entrants continue to dominate zero-day exploitation, accounting for roughly 30% of attributed zero-days.
2. China-linked APT groups — Multiple Chinese state-backed groups (Salt Typhoon, Volt Typhoon, APT41) exploited enterprise-focused zero-days targeting networking equipment and cloud platforms.
3. Russia-linked groups — Focused primarily on Ukrainian and European targets using zero-days in Microsoft products.
4. North Korea — Increasingly sophisticated, targeting cryptocurrency platforms and developer tools.

Why Enterprise Products Are Now the Primary Target

Several factors explain the shift toward enterprise targeting:


🏥 TriZetto Healthcare Breach: 3.4 Million Patients Exposed

⚠️ Massive Healthcare Data Exposure

TriZetto Provider Solutions (a Cognizant subsidiary) disclosed a data breach affecting 3,433,965 individuals. Attackers had unauthorized access for nearly a year — from November 2024 to October 2025.

Breach Timeline

Date Event
November 19, 2024 Unauthorized access begins
October 2, 2025 Suspicious activity detected
December 9, 2025 Affected providers notified
February 2026 Customer notifications begin
March 6, 2026 Maine AG filing confirms 3.4M affected

Exposed Data Types

The 317-day dwell time (from initial access to detection) is particularly alarming and underscores the need for continuous monitoring and automated threat detection. Cognizant previously faced scrutiny after the 2020 Maze ransomware incident and a Scattered Spider-related breach through its help desk.


🦠 VOID#GEIST: Fileless Multi-Stage Malware Campaign

⚠️ Advanced Fileless Attack Chain

Securonix researchers have documented VOID#GEIST, a sophisticated multi-stage malware campaign that delivers XWorm, AsyncRAT, and Xeno RAT through fileless execution techniques.

Attack Chain Breakdown

  1. Initial access — Batch script fetched from TryCloudflare domain via phishing email
  2. Decoy display — Chrome opens a fake financial PDF in full-screen as visual distraction
  3. Hidden execution — PowerShell re-executes the batch script with -WindowStyle Hidden
  4. Persistence — Startup directory placement (no registry modifications, no privilege escalation)
  5. Payload fetch — ZIP archives downloaded containing encrypted shellcode and a Python loader
  6. In-memory execution — Python runtime decrypts and injects shellcode via Early Bird APC injection into explorer.exe

💡 Why This Matters

The VOID#GEIST campaign represents a broader industry shift from standalone executables toward modular, script-based delivery frameworks. Each stage appears innocuous in isolation, mimicking legitimate administrative activity. The use of a legitimate embedded Python runtime from python.org eliminates dependencies and evades application allowlisting.

Delivered Payloads

RAT Capabilities Encrypted File
XWorm Full remote access, keylogging, screen capture, persistence new.bin
AsyncRAT Asynchronous C2 communication, plugin extensibility, credential theft pul.bin
Xeno RAT Open-source RAT with HVNC, microphone/webcam access xn.bin

🌐 Cisco SD-WAN & Rockwell ICS: More Active Exploits

Cisco Catalyst SD-WAN

Cisco has confirmed that two recently patched Catalyst SD-WAN vulnerabilities — CVE-2026-20128 and CVE-2026-20122 — are now being actively exploited in the wild. Organizations running affected SD-WAN configurations should apply patches immediately or implement the recommended workarounds.

Rockwell Automation ICS Vulnerability

A Rockwell Automation vulnerability originally disclosed and mitigated in 2021 has been confirmed as actively exploited in attacks targeting industrial control systems. This highlights a persistent challenge in OT/ICS environments: even when patches exist, they often aren't applied due to operational constraints and downtime concerns.

⚠️ ICS/OT Risk

If your organization runs Rockwell programmable logic controllers (PLCs), verify patch status immediately. Remote exploitation of ICS systems can lead to physical process manipulation, safety system bypasses, and operational disruption.


🔒 LeakBase Forum Shut Down — 142,000 Users

In a positive development, the LeakBase cybercrime forum has been shut down by law enforcement, with suspects arrested. The stolen credential marketplace had been active since 2021 and hosted 142,000 registered users trading in compromised credentials, personal data, and breach databases.

While takedowns provide temporary disruption, history shows that displaced users typically migrate to alternative forums within weeks. Organizations should use this window to:


🛡️ Recommended Actions

For Enterprise Security Teams

  1. Prioritize enterprise product patching — VPN appliances, firewalls, and security products are now primary zero-day targets
  2. Deploy continuous automated scanning — Manual vulnerability assessments cannot keep pace with 90+ zero-days annually
  3. Monitor for fileless execution patterns — Look for PowerShell hidden windows, Python runtime downloads, and APC injection signatures
  4. Reduce dwell time — The TriZetto breach's 317-day dwell time shows the cost of delayed detection
  5. Patch ICS/OT systems — Old vulnerabilities in Rockwell and similar systems are being actively exploited years after disclosure

For Healthcare Organizations

  1. Audit web portal security — TriZetto's breach originated through a web portal handling insurance eligibility data
  2. Implement network segmentation — Limit blast radius of any single compromise
  3. Deploy behavioral analytics — Detect unauthorized access patterns, especially for databases containing PHI
  4. Review third-party vendor security — Your vendor's security posture is your security posture

Don't Wait 317 Days to Detect a Breach

KENSAI's continuous automated pentesting scans your infrastructure around the clock — finding vulnerabilities before attackers exploit them, including zero-days in enterprise products.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Threat Intelligence Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →