Google Threat Intelligence Group's annual zero-day analysis reveals 90 vulnerabilities exploited in the wild during 2025 — with nearly half targeting enterprise security products, networking appliances, and cloud infrastructure. Spyware vendors and China-linked APTs dominate attribution. Meanwhile, a 3.4-million-patient healthcare breach and new fileless malware campaigns demonstrate why continuous vulnerability scanning is no longer optional.
Google Threat Intelligence Group (GTIG) tracks zero-day vulnerabilities exploited in the wild each year. The 2025 report marks one of the highest years on record, with 90 zero-days confirmed exploited — up from 73 in 2024 and approaching 2021's peak of 97.
The most significant finding: approximately 45 of the 90 zero-days (50%) directly targeted enterprise products rather than consumer endpoints. This represents a dramatic shift from previous years when browsers and mobile operating systems dominated the zero-day exploitation landscape.
| Category | Zero-Days (2025) | Percentage | Trend vs 2024 |
|---|---|---|---|
| Enterprise Security Products | ~20 | 22% | 🔺 Up significantly |
| Networking/VPN Appliances | ~15 | 17% | 🔺 Up |
| Cloud/SaaS Platforms | ~10 | 11% | 🔺 Up |
| Mobile OS (iOS/Android) | ~18 | 20% | 🔻 Down |
| Browsers | ~12 | 13% | 🔻 Down |
| Desktop OS | ~15 | 17% | ➡️ Stable |
Less than half of the 90 zero-days could be attributed to specific threat actors, but the leading groups paint a clear picture:
1. Commercial spyware vendors — NSO Group, Intellexa, and newer entrants continue to dominate zero-day exploitation, accounting for roughly 30% of attributed zero-days.
2. China-linked APT groups — Multiple Chinese state-backed groups (Salt Typhoon, Volt Typhoon, APT41) exploited enterprise-focused zero-days targeting networking equipment and cloud platforms.
3. Russia-linked groups — Focused primarily on Ukrainian and European targets using zero-days in Microsoft products.
4. North Korea — Increasingly sophisticated, targeting cryptocurrency platforms and developer tools.
Several factors explain the shift toward enterprise targeting:
TriZetto Provider Solutions (a Cognizant subsidiary) disclosed a data breach affecting 3,433,965 individuals. Attackers had unauthorized access for nearly a year — from November 2024 to October 2025.
| Date | Event |
|---|---|
| November 19, 2024 | Unauthorized access begins |
| October 2, 2025 | Suspicious activity detected |
| December 9, 2025 | Affected providers notified |
| February 2026 | Customer notifications begin |
| March 6, 2026 | Maine AG filing confirms 3.4M affected |
The 317-day dwell time (from initial access to detection) is particularly alarming and underscores the need for continuous monitoring and automated threat detection. Cognizant previously faced scrutiny after the 2020 Maze ransomware incident and a Scattered Spider-related breach through its help desk.
Securonix researchers have documented VOID#GEIST, a sophisticated multi-stage malware campaign that delivers XWorm, AsyncRAT, and Xeno RAT through fileless execution techniques.
-WindowStyle Hiddenexplorer.exeThe VOID#GEIST campaign represents a broader industry shift from standalone executables toward modular, script-based delivery frameworks. Each stage appears innocuous in isolation, mimicking legitimate administrative activity. The use of a legitimate embedded Python runtime from python.org eliminates dependencies and evades application allowlisting.
| RAT | Capabilities | Encrypted File |
|---|---|---|
| XWorm | Full remote access, keylogging, screen capture, persistence | new.bin |
| AsyncRAT | Asynchronous C2 communication, plugin extensibility, credential theft | pul.bin |
| Xeno RAT | Open-source RAT with HVNC, microphone/webcam access | xn.bin |
Cisco has confirmed that two recently patched Catalyst SD-WAN vulnerabilities — CVE-2026-20128 and CVE-2026-20122 — are now being actively exploited in the wild. Organizations running affected SD-WAN configurations should apply patches immediately or implement the recommended workarounds.
A Rockwell Automation vulnerability originally disclosed and mitigated in 2021 has been confirmed as actively exploited in attacks targeting industrial control systems. This highlights a persistent challenge in OT/ICS environments: even when patches exist, they often aren't applied due to operational constraints and downtime concerns.
If your organization runs Rockwell programmable logic controllers (PLCs), verify patch status immediately. Remote exploitation of ICS systems can lead to physical process manipulation, safety system bypasses, and operational disruption.
In a positive development, the LeakBase cybercrime forum has been shut down by law enforcement, with suspects arrested. The stolen credential marketplace had been active since 2021 and hosted 142,000 registered users trading in compromised credentials, personal data, and breach databases.
While takedowns provide temporary disruption, history shows that displaced users typically migrate to alternative forums within weeks. Organizations should use this window to:
KENSAI's continuous automated pentesting scans your infrastructure around the clock — finding vulnerabilities before attackers exploit them, including zero-days in enterprise products.
Start Free Security ScanStay vigilant. Stay protected.
🗡️ KENSAI Threat Intelligence Team