Google’s Threat Intelligence Group has dropped a stark report on the state of zero-day exploitation in 2025, and the findings should make every enterprise security team uncomfortable. The headline number: roughly half of all zero-day vulnerabilities the company tracked last year were aimed squarely at enterprise technology — security appliances, networking gear, and other infrastructure products that are supposed to protect organizations, not expose them.
The report, first covered by TechCrunch, paints a picture of attackers increasingly shifting their focus from consumer-facing software like browsers and mobile operating systems toward the corporate tools that sit at the perimeter of networks. That’s a deliberate, strategic pivot — and it’s working.
Not a surprise to anyone paying attention.
Google tracked 75 zero-day vulnerabilities exploited in the wild during 2025, down slightly from the 98 recorded in 2023 but consistent with the general upward trend over the past several years. The raw count matters less than where attackers are directing their efforts. According to Google’s data, enterprise-specific technologies accounted for 44% of all zero-days exploited in 2025, up from 37% in 2024. Security and networking products alone represented more than 60% of all enterprise-targeted zero-day exploitation.
Think about that for a second. The products organizations deploy specifically to defend their networks are the ones being exploited most aggressively.
Enterprise security products are now the primary attack surface — and vendors aren’t keeping up
The shift toward enterprise targets reflects cold economic logic on the part of attackers. Compromising a single enterprise security appliance — a VPN gateway, a firewall, an email security product — can grant broad access to an entire corporate network in one move. That’s far more efficient than chaining together multiple exploits against a browser or mobile device to reach a single user. Products from Ivanti, Palo Alto Networks, Cisco, and other major vendors were among those hit, according to Google’s findings.
And this isn’t just opportunistic hacking. Google’s report attributes a significant share of zero-day exploitation to state-sponsored actors, particularly groups linked to China. Espionage-motivated attackers accounted for the largest identified share of zero-day use. Commercial surveillance vendors — the companies that sell spyware to governments — were the second most prolific exploiters, responsible for a notable portion of tracked zero-days.
The Chinese government-backed groups are especially focused on network edge devices. These are products that sit at the boundary between an organization’s internal network and the internet, handling traffic from VPNs, firewalls, and routers. They’re attractive targets because they often run proprietary or stripped-down operating systems that lack modern endpoint detection tools. Once compromised, they can be difficult to inspect or remediate.
Google specifically called out the recurring exploitation of Ivanti products, which have been a favorite target for multiple threat actors over the past two years. Ivanti’s Connect Secure VPN appliance, in particular, has been hit repeatedly — a pattern that suggests either deeply embedded code quality issues or an architecture that makes patching and hardening exceptionally difficult. Probably both.
On the consumer side, browsers and mobile devices still see zero-day exploitation, but the numbers are declining. Google noted that Chrome, Safari, iOS, and Android all saw fewer zero-days in 2025 compared to previous years. The company credits investments in exploit mitigations — things like memory safety improvements, lockdown modes, and sandboxing — with making consumer products harder and more expensive to attack. Microsoft Windows remained a consistent target, though, with 22 zero-days exploited across the year, reflecting its enormous installed base and the complexity of its legacy codebase.
So the attackers go where the defenses are weakest. Right now, that’s enterprise infrastructure.
One of the most concerning threads in the report is how many enterprise zero-days target products that don’t support endpoint detection and response (EDR) agents. Security appliances and networking equipment typically can’t run the same monitoring software that protects laptops and servers. That creates blind spots. Attackers know this and deliberately target those blind spots, achieving persistence on devices that security teams have limited visibility into.
Google’s researchers also noted that exploitation timelines are compressing. The gap between a vulnerability being discovered (or a patch being released) and active exploitation appearing in the wild continues to shrink. In some cases, attackers are exploiting vulnerabilities within days of public disclosure. In others, they’ve found the bugs independently and are exploiting them before any patch exists at all.
For enterprise security leaders, the implications are blunt. Perimeter devices need to be treated as high-value targets, not trusted infrastructure. Patching cycles for security appliances and network gear need to be as aggressive — if not more so — than those for endpoints. Organizations should demand better transparency from vendors about their internal security practices, code audit processes, and vulnerability response timelines. And the industry broadly needs to reckon with the fact that many of the products sold to protect networks are themselves among the most exploited software on the planet.
Google’s report isn’t an outlier finding. It aligns with warnings from CISA, Mandiant, and other threat intelligence firms that have been flagging the enterprise perimeter as an escalating risk area for at least two years. But the 2025 data makes the trend undeniable. Attackers have recalibrated. The question is whether enterprise vendors and their customers will do the same fast enough to matter.


WebProNews is an iEntry Publication