Look What You Made Us Patch: 2025 Zero-Days in Review

I’m a big fan of reports like this because they help us step back and look at trends across the threat landscape:

Google’s threat intelligence team has visibility into an enormous amount of exploitation activity across the internet, so when they publish a dataset like this, it’s worth paying attention to.

The big headline: 90 zero-days were exploited in the wild in 2025. That might sound like a lot, but the more interesting takeaway is that it actually suggests things have stabilized.

The number of exploited zero-days peaked at 100 in 2023, dropped to 78 in 2024, and now sits at 90 in 2025. Over the past four years, we’ve consistently seen exploited zero-days fall somewhere between 60 and 100 per year.

From a defender’s perspective, that range is probably a realistic expectation moving forward. Attackers are going to weaponize dozens of zero-day vulnerabilities every year.

Attackers Target Enterprise Systems

What really stood out to me in this year’s data is the shift toward enterprise technology exploitation. Nearly half of the exploited zero-days in 2025 affected enterprise platforms, which is the highest proportion we’ve seen so far.

Over the past year, we’ve seen major vulnerabilities in things like network security appliances, VPN gateways, edge infrastructure and enterprise software platforms

Devices sitting on the network edge are particularly attractive targets. They’re often exposed to the internet, they have high privileges inside corporate networks, and they’re sometimes harder to monitor with traditional endpoint security tools.

Browser Exploitation Dropping

Another trend I found interesting is that browser-based zero-day exploitation is declining.

Historically, browsers have been one of the most common entry points for attackers because they process untrusted content constantly. But modern browsers have invested heavily in security features like sandboxing, exploit mitigations and improved memory safety. It looks like those protections may be forcing attackers to move elsewhere.

Operating Systems Back In Focus

At the same time browser exploitation is declining, operating system vulnerabilities are becoming more common targets again. That’s notable because a few years ago we were seeing a shift away from OS vulnerabilities as operating systems became harder to exploit. Now the trend appears to be reversing.

My guess is that improvements in browser sandboxing and exploit mitigations are making browsers harder to attack directly, so attackers are investing more effort into operating system exploits that allow them to break out of those protections.

Why It Matters

The most important thing about this report is that it focuses on zero-days exploited in the wild, not just vulnerabilities that exist. There are thousands of vulnerabilities disclosed every year, but only a small percentage of them actually get weaponized in real-world attacks.

That’s why tracking exploited zero-days gives us a much clearer picture of where attackers are investing their time and resources.

Attackers are increasingly focusing on enterprise infrastructure and operating systems, while browsers appear to be getting harder to exploit.

That means keeping a close eye on vulnerabilities affecting the systems that sit at the edge of corporate networks, because those are becoming some of the most valuable targets attackers can hit.