Google Threat Intelligence Reports 90 Zero-Day Exploits as State Groups Pivot Toward Edge Device Vulnerabilities

Google Threat Intelligence reports 90 zero-day exploits in 2025, with enterprise products and edge devices facing record-high attacks from state-sponsored groups.

By: AXL Media

Published: Mar 6, 2026, 10:45 AM EST

Source: The information in this article was sourced from ITPro

Record Highs in Enterprise Product Exploitation

Google Threat Intelligence (GTG) has documented a significant shift in the cyber threat landscape, tracking 90 zero-day vulnerabilities exploited throughout 2025. While this total is slightly lower than the record 100 cases seen in 2023, the data reveals an alarming trend: enterprise products were targeted at an all-time high of 43 instances. Researchers noted that while browser-based exploitations have reached a historical low, the abuse of operating systems is steadily increasing, suggesting that attackers are moving deeper into infrastructure layers to find viable entry points into secured networks.

State Espionage Shifts to the Network Edge

State-sponsored espionage groups are increasingly prioritizing edge devices and security appliances as their primary gateways into victim environments. According to GTG researchers, over half of the zero-day exploitations attributed to these groups focused on these specific technologies. Unlike traditional endpoints, edge devices often lack comprehensive internal visibility, providing attackers with a strategic advantage. Because these systems frequently only log basic traffic summaries or configuration changes, they leave significant gaps in detection that allow threat actors to mask the true scale of their lateral movement across a network.

The Rise of Commercial Surveillance Vendors

In a notable shift for the cybersecurity industry, 2025 marked the first time more zero-day exploits were attributed to commercial surveillance vendors (CSVs) than to traditional state-sponsored espionage entities. These commercial actors have maintained a sharp focus on mobile and browser exploitation, continuously evolving their exploit chains to circumvent the latest mobile security improvements. This trend highlights a professionalized market for vulnerabilities where commercial entities are successfully adapting to new security boundaries, often deploying complex malware such as Brickstorm to achieve diverse objectives, including the theft of valuable intellectual property from technology firms.