Google Threat Intelligence Group's annual zero-day analysis reveals 90 취약점 익스플로잇ed 실전에서 during 2025 — with nearly half targeting enterprise security products, networking appliances, and cloud infrastructure. Spyware vendors and China-linked APTs dominate attribution. Meanwhile, a 3.4-million-patient healthcare breach and new fileless 악성코드 campaigns demonstrate why continuous 취약점 scanning is no longer optional.
Google Threat Intelligence Group (GTIG) tracks zero-day 취약점 익스플로잇ed 실전에서 each year. The 2025 report marks one of the highest years on record, with 90 zero-days confirmed 익스플로잇ed — up from 73 in 2024 and approaching 2021's peak of 97.
The most significant finding: approximately 45 of the 90 zero-days (50%) directly targeted enterprise products rather than consumer endpoints. This represents a dramatic shift from previous years when browsers and mobile operating systems dominated the zero-day 익스플로잇ation landscape.
| Category | Zero-Days (2025) | Percentage | Trend vs 2024 |
|---|---|---|---|
| Enterprise Security 제품s | ~20 | 22% | 🔺 Up significantly |
| Networking/VPN Appliances | ~15 | 17% | 🔺 Up |
| Cloud/SaaS Platforms | ~10 | 11% | 🔺 Up |
| Mobile OS (iOS/Android) | ~18 | 20% | 🔻 Down |
| Browsers | ~12 | 13% | 🔻 Down |
| Desktop OS | ~15 | 17% | ➡️ Stable |
Less than half of the 90 zero-days could be attributed to specific 위협 행위자s, but the leading groups paint a clear picture:
1. Commercial spyware vendors — NSO Group, Intellexa, and newer entrants continue to dominate zero-day 익스플로잇ation, accounting for roughly 30% of attributed zero-days.
2. China-linked APT groups — Multiple Chinese state-backed groups (Salt Typhoon, Volt Typhoon, APT41) 익스플로잇ed enterprise-focused zero-days targeting networking equipment and cloud platforms.
3. Russia-linked groups — Focused primarily on Ukrainian and European targets using zero-days in Microsoft products.
4. 아니오rth Korea — Increasingly sophisticated, targeting cryptocurrency platforms and developer tools.
Several factors explain the shift toward enterprise targeting:
TriZetto Provider Solutions (a Cognizant subsidiary) disclosed a data breach affecting 3,433,965 individuals. Attackers had unauthorized access for nearly a year — from 아니오vember 2024 to October 2025.
| 날짜 | Event |
|---|---|
| 아니오vember 19, 2024 | Unauthorized access begins |
| October 2, 2025 | Suspicious activity detected |
| December 9, 2025 | Affected providers notified |
| February 2026 | Customer notifications begin |
| March 6, 2026 | Maine AG filing confirms 3.4M affected |
The 317-day dwell time (from 초기 접근 to detection) is particularly alarming and underscores the need for continuous monitoring and automated threat detection. Cognizant previously faced scrutiny after the 2020 Maze 랜섬웨어 incident and a Scattered Spider-related breach through its help desk.
Securonix researchers have documented VOID#GEIST, a sophisticated multi-stage 악성코드 campaign that delivers XWorm, AsyncRAT, and Xeno RAT through fileless execution techniques.
-WindowStyle Hiddenexplorer.exeThe VOID#GEIST campaign represents a broader industry shift from standalone executables toward modular, script-based delivery frameworks. Each stage appears innocuous in isolation, mimicking legitimate administrative activity. The use of a legitimate embedded Python runtime from python.org eliminates dependencies and evades application allowlisting.
| RAT | Capabilities | Encrypted File |
|---|---|---|
| XWorm | Full remote access, keylogging, screen capture, persistence | new.bin |
| AsyncRAT | Asynchronous C2 communication, plugin extensibility, 자격 증명 theft | pul.bin |
| Xeno RAT | Open-source RAT with HVNC, microphone/webcam access | xn.bin |
Cisco has confirmed that two recently patched Catalyst SD-WAN 취약점 — CVE-2026-20128 and CVE-2026-20122 — are now being 실전에서 활성 악용 중. 다음을 운영하는 조직은 affected SD-WAN configurations should apply patches immediately or implement the recommended 임시 해결책s.
A Rockwell Automation 취약점 originally disclosed and mitigated in 2021 has been confirmed as actively 익스플로잇ed in attacks targeting industrial control systems. This highlights a persistent challenge in OT/ICS environments: even when patches exist, they often aren't applied due to operational constraints and downtime concerns.
If your organization runs Rockwell programmable logic controllers (PLCs), verify patch status immediately. Remote 익스플로잇ation of ICS systems can lead to physical process manipulation, safety system bypasses, and operational disruption.
In a positive development, the LeakBase cybercrime forum has been shut down by law enforcement, with suspects arrested. The stolen 자격 증명 marketplace had been active since 2021 and hosted 142,000 registered users trading in compromised 자격 증명, personal data, and breach databases.
While takedowns provide temporary disruption, history shows that displaced users typically migrate to alternative forums within weeks. 조직은 해야 합니다 use this window to:
KENSAI's continuous automated pentesting scans your infrastructure around the clock — finding 취약점 before attackers 익스플로잇 them, including zero-days in enterprise products.
Start Free Security ScanStay vigilant. Stay protected.
🗡️ KENSAI Threat Intelligence Team