Pullquote text
Google says that despite a small dip in the number of exploited zero-day vulnerabilities in 2024, the number of attacks using these novel bugs continues on an upward trend overall.
Data released by Google Threat Intelligence Group (GTIG) today, timed with the ongoing RSA Conference 2025, revealed that 75 zero-days were exploited last year. The number is down from 2023’s figure of 98, but an increase from 63 the year before, suggesting that zero-days continue to be a hot commodity for the most well-resourced attackers.
Disregarding the inherent, obvious advantage that novel, patchless vulnerabilities provide to attackers, it’s not just Google saying that zero-days are easier to come by these days …
Over 50 percent of the confirmed zero-days were used for cyberespionage campaigns carried out by state-sponsored groups and customers of spyware companies, or as Google calls them, “commercial surveillance vendors.”
Google’s researchers highlighted China and spyware companies – none of which were named specifically – as the main culprits here, exploiting five and eight zero-days respectively in 2024.
However, North Korea also featured with its state-backed attackers accounting for five zero-day exploits – the first time the country has been mentioned in the same breath as the usual leaders in this regard.
“GTIG tracked 75 exploited-in-the-wild zero-day vulnerabilities that were disclosed in 2024,” said Google’s researchers. “This number appears to be consistent with a consolidating upward trend that we have observed over the last four years.
“After an initial spike in 2021, yearly counts have fluctuated but not returned to the lower numbers we saw in 2021 and prior.”
Google noted, however, that the surge in confirmed zero-day exploits from 2021 onward, compared to figures from years before that, could well be due to the industry’s improvements both in technical detections and public disclosures of such attacks.
Zero-day bugs in enterprise tech solutions are also seemingly still the most valuable, with the focus on these products remaining consistently strong in 2023 and 2024.
The majority of the exploited zero-days (52 percent) were in end-user platforms and products, Google said for the second year in a row, which are used by both consumers and professionals, and 33 of the 75 zero-days were specifically in enterprise kit.
The number of enterprise-specific zero-days decreased slightly from 2023’s 36, but accounted for a greater proportion of the total zero-days for the year (44 percent vs 37 percent), and 20 of the 33 were in security and networking products. Google named Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN among the most notable of these.
“Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks,” Google said.
“Endpoint detection and response (EDR) tools are not usually equipped to work on these products, limiting available capabilities to monitor them. Additionally, exploit chains are not generally required to exploit these systems, giving extensive power to individual vulnerabilities that can single-handedly achieve remote code execution or privilege escalation.”
Alongside security and networking vendors, the big three tech vendors shared the majority of the enterprise zero-days. Microsoft had 26, Google 11, and Apple five – putting them first, second, and fourth in the rankings for most-targeted vendors. Ivanti slid in to take the number-three spot with seven novel vulns.
“Ivanti’s placement in the top three reflects a new and crucial change, where a security vendor was targeted more frequently than a popular end-user technology-focused vendor,” Google said, before saying the rankings are not necessarily an indicator of any given vendor’s security posture.
Since the early stages of the Ivanti vulnerability disclosures last year, Google has linked their exploitation to China’s UNC5221, and did the same more recently regarding the Ivanti zero-days earlier this month.
“The exploitation of five vulnerabilities that we attributed to PRC groups exclusively focused on security and networking technologies,” Google said. “This continues a trend that we have observed from PRC groups for several years across all their operations, not just in zero-day exploitation.”
Outlook is bleak
All the signs point to zero-days maintaining their popularity. Disregarding the inherent, obvious advantage that novel, patchless vulnerabilities provide to attackers, it’s not just Google saying that zero-days are easier to come by these days.
The underground marketplace for such exploits is thriving at the moment, with so-called zero-day brokers reportedly earning multiple millions for single vulnerabilities. Plus, with the slow uptake of secure-by-design and secure-by-default development practices, which are allowing decades-old vulnerability classes to continually crop up in widely used software, the current environment lends itself well to the procurement of zero-days.
The Five Eyes intelligence alliance warned in November 2024 that the majority of the most prolifically abused vulnerabilities last year were zero-days – a trend that continued from the year before.
Ollie Whitehouse, CTO at the UK’s NCSC, said at the time that it was imperative that vendors stay on the front foot by proactively improving their processes to reduce the number of vulnerabilities present in their products, and issue patches quickly. Equally, defenders were urged to be vigilant when it comes to vulnerability management.
“More routine initial exploitation of zero-day vulnerabilities represents the new normal, which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks,” he added.
Likewise, Google said that due to big tech companies routinely being at the center of zero-day attacks, their experience with handling these will likely mean they approach zero-days as “a more manageable problem” rather than a catastrophic business risk. For smaller vendors or those with emerging products, preventing zero-days will require more proactive effort on their part, including the adoption of safer development practices.
Google also expects zero-day exploitation to steadily increase over the coming years, especially in enterprise tech, despite vendors improving their security practices and historically targeted products like smartphones and browsers. ®
