Google Data Shows Drop in Zero Days in 2024, But More Focus on Security Products

Google’s threat intelligence researchers identified 75 individual zero days that were exploited in the wild in 2024, a significant decrease from the 98 zero days identified in 2023. However, attackers are continuing to focus their efforts on valuable targets such as edge security and networking devices, which accounted for more than 25 percent of all of the zero days identified last year. 

Why It Matters: Google’s Threat Intelligence Group (GTIG) is one of the premier CTI teams in the industry and pays special attention to the use of zero days, the groups that exploit them, and the products that are targeted. The group tracks not just the sheer volume of zero days used each year, but also the ways in which they’re used and historical trends in targeting. Since GTIG began publishing data on zero day exploitation in 2019, the numbers have been trending upward over time, with some year-to-year variances, of course. In 2019 and 2020, there were 31 zero days identified as being exploited in the wild each year. 2021 saw a huge jump to 95 and then 63 and 98 in 2022 and 2023, respectively.

Key Details

• Of the 75 zero days tracked by GTIG last year, 20 were in security and networking products, which have emerged as favored targets for APT groups and cybercrime gangs alike

• 33 of the 75 vulnerabilities were in enterprise products, including those security and networking devices

• The remaining 42 vulnerabilities were in consumer-facing products such as mobile devices, browsers, and OS

• In terms of vendors, 26 of the zero days were in Microsoft products, 11 were in Google products, seven were in Ivanti products, and five were in Apple products

• It will come as no surprise that more than 29 percent of zero days were attributed to state-backed espionage groups, and another 23.5 percent were attributed to mercenary spyware vendors

“Threat actors continued to utilize zero-day vulnerabilities primarily for the purposes of gaining remote code execution and elevating privileges. In 2024, these consequences accounted for over half (42) of total tracked zero-day exploitation,” the report says.

“Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all zero-day exploitation of enterprise technologies. Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.”

Header image from GTIG report.