Google Threat Intelligence Documents Record 90 Zero-Day Exploits in 2025 as Spyware Vendors and State Actors Intensify Attacks

What Happened

Google's Threat Intelligence Group (TIG) has released its annual zero-day exploitation analysis for 2025, revealing a troubling escalation in the number of previously unknown software vulnerabilities actively exploited by malicious actors. The report documented 90 zero-day vulnerabilities that were exploited in the wild during 2025, a significant increase from the 78 recorded in 2024 and continuing an upward trajectory that has cybersecurity professionals deeply concerned.

According to the research, commercial spyware vendors and China-linked threat groups were the most prolific exploiters of these vulnerabilities. Commercial surveillance companies, which sell hacking tools to governments worldwide, accounted for a substantial portion of the zero-day usage, while Chinese state-sponsored groups maintained their position as the most active nation-state threat actors in this space. The findings underscore a growing sophistication in the global exploit marketplace, where zero-day vulnerabilities are increasingly treated as strategic assets.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The vulnerabilities spanned a wide range of software products, including operating systems, browsers, mobile platforms, and enterprise networking equipment. Google's researchers noted that the diversity of targets reflects attackers' evolving strategies to compromise victims through multiple entry points, making traditional perimeter-based defenses increasingly insufficient against determined adversaries.

Background and Context

Zero-day vulnerabilities represent one of the most dangerous categories of security flaws because they are exploited before software vendors are aware of their existence, leaving no time to develop and distribute patches. The term "zero-day" refers to the fact that developers have had zero days to address the vulnerability when it is first exploited. These flaws command premium prices on both legitimate and underground markets, with some fetching millions of dollars depending on the target software and the reliability of the exploit.

Google's Threat Intelligence Group has been tracking zero-day exploitation trends for several years, and the data reveals a clear pattern of acceleration. From roughly 60 documented zero-days in 2020, the number has climbed steadily, with the 90 recorded in 2025 representing a 15 percent year-over-year increase. This growth correlates with the expansion of the commercial spyware industry, where companies like those previously exposed in public reporting develop and sell exploit chains to government clients.

The involvement of China-linked groups is consistent with broader intelligence assessments that identify the People's Republic of China as one of the most capable and prolific cyber espionage actors globally. These groups have historically targeted technology companies, government agencies, defense contractors, and telecommunications providers, leveraging zero-day exploits to gain persistent access to high-value networks. The intersection of commercial spyware vendors and state-sponsored groups creates a complex threat landscape where attribution is increasingly challenging.

Why This Matters

The escalating zero-day exploitation trend has profound implications for every organisation that relies on digital infrastructure, which in 2026 means virtually every business on the planet. When 90 previously unknown vulnerabilities are being actively exploited in a single year, it signals that the cybersecurity arms race is tilting in favour of attackers. Traditional patch management cycles, which typically operate on monthly or quarterly schedules, are fundamentally inadequate against threats that exploit vulnerabilities before patches even exist.

For businesses running critical productivity software, this report serves as a stark reminder that keeping systems updated is no longer optional — it is an existential requirement. Organisations using outdated software versions face exponentially greater risk, as attackers frequently chain older, unpatched vulnerabilities with newer exploits to breach networks. Investing in affordable Microsoft Office licence options that include the latest security updates is a fundamental step in reducing attack surface. Similarly, ensuring workstations run properly licensed and current operating systems with a genuine Windows 11 key provides access to Microsoft's most current security protections and architectural defences.

The dominance of commercial spyware vendors in zero-day exploitation also raises urgent questions about regulation and accountability. These companies operate in a grey zone where their products can be used for legitimate law enforcement surveillance or for authoritarian suppression of dissidents and journalists. The lack of effective international controls on spyware exports means that sophisticated exploitation capabilities continue to proliferate to an expanding set of state and non-state actors.

Industry Impact

The cybersecurity industry is being forced to fundamentally rethink its defensive strategies in response to the zero-day escalation. Endpoint detection and response (EDR) vendors are investing heavily in behavioural analysis and machine learning to detect exploitation attempts based on anomalous system behaviour rather than known malware signatures. This shift reflects the reality that signature-based detection is ineffective against zero-day attacks by definition.

Cloud service providers and enterprise software vendors are also accelerating their adoption of memory-safe programming languages and secure-by-design principles. Google, Microsoft, and Apple have all announced initiatives to rewrite critical system components in languages like Rust that eliminate entire categories of memory corruption vulnerabilities. However, the legacy codebase across the global software ecosystem is enormous, and the transition to safer alternatives will take years if not decades.

The insurance industry is closely watching these trends as well. Cyber insurance premiums have risen steadily in recent years, and insurers are increasingly requiring policyholders to demonstrate specific security controls and patch management practices. The rising tide of zero-day exploitation could drive further premium increases and more stringent underwriting requirements, particularly for organisations in sectors frequently targeted by state-sponsored actors.

For managed service providers and IT departments, the report reinforces the importance of defence-in-depth strategies that combine network segmentation, least-privilege access controls, continuous monitoring, and rapid incident response capabilities. No single security control can prevent zero-day exploitation, but layered defences can significantly limit the blast radius of a successful attack.

Expert Perspective

The cybersecurity community has long warned that the commercial spyware industry would drive an escalation in zero-day exploitation, and Google's latest data validates those concerns. Industry analysts note that the 90 zero-day figure likely represents only a fraction of actual exploitation activity, as many zero-day attacks are never detected or publicly disclosed. The true number could be substantially higher, particularly in regions with less developed cybersecurity monitoring capabilities.

Security researchers emphasise that the growing involvement of China-linked groups in zero-day exploitation reflects a strategic investment in offensive cyber capabilities that has been building for over a decade. These groups benefit from significant state resources, access to a large pool of technical talent, and a permissive operational environment that enables sustained campaigns against high-value targets worldwide.

The convergence of commercial spyware capabilities with state-sponsored operations creates what some analysts describe as a "zero-day industrial complex" where economic incentives and geopolitical objectives align to drive ever-increasing investment in offensive exploitation research.

What This Means for Businesses

Every business, regardless of size, needs to treat this report as a call to action. The most immediate step is ensuring that all software, operating systems, and firmware are updated to the latest available versions. Automated patch management systems should be deployed wherever possible, with critical security patches applied within hours rather than days or weeks of release.

Organisations should also invest in advanced endpoint protection that goes beyond traditional antivirus solutions. Modern EDR platforms that leverage behavioural analysis can detect and contain zero-day exploitation attempts even when the specific vulnerability is unknown. Additionally, businesses should implement network segmentation to limit lateral movement by attackers who successfully exploit a zero-day vulnerability, and maintain robust backup systems to enable rapid recovery from potential compromises.

For companies evaluating their software licensing and procurement strategies, the security implications of running current, fully supported software cannot be overstated. Browsing enterprise productivity software options that include ongoing security updates is a critical component of any comprehensive cybersecurity posture.

Key Takeaways

• Google TIG documented 90 zero-day exploits in 2025, up from 78 in 2024, marking a continuing upward trend
• Commercial spyware vendors and China-linked threat groups were the primary exploiters of zero-day vulnerabilities
• The findings highlight the inadequacy of traditional patch management cycles against zero-day threats
• Businesses must adopt defence-in-depth strategies combining updated software, EDR, network segmentation, and incident response
• The commercial spyware industry continues to drive escalation in offensive cyber capabilities globally
• Running current, licensed software with the latest security patches is a fundamental defensive requirement

Looking Ahead

The trajectory of zero-day exploitation shows no signs of slowing. As artificial intelligence tools become more sophisticated, they may accelerate both the discovery of new vulnerabilities and the development of exploits, potentially pushing annual zero-day counts even higher. The cybersecurity industry must continue evolving its defensive capabilities at pace, while policymakers face growing pressure to establish meaningful controls on the commercial spyware market and strengthen international norms against state-sponsored cyber exploitation.