Full Report
Google Threat Intelligence Group said it tracked 90 zero-day vulnerabilities that were exploited by a variety of actors last year, surpassing the 78 that were used by threat actors in 2024.
Analysis Summary
The following summary provides a technical analysis of the 2025 zero-day landscape as reported by Google’s Threat Intelligence Group (GTIG). While the report covers 90 zero-days, this breakdown focuses on the specific high-priority vulnerabilities and actor trends highlighted in the text.
# Vulnerability: 2025 Zero-Day Exploitation Trends (State-Backed & Commercial)
## CVE Details
* **CVE ID:** CVE-2025-21590 (Juniper Networks), CVE-2025-0282 (Ivanti)
* **CVSS Score:** Not specified in report (Typically 9.0-10.0 for zero-day edge exploits)
* **CWE:** Varies (Primarily Remote Code Execution and Privilege Escalation)
## Affected Systems
* **Products:**
* **Edge Devices/Security Appliances:** Juniper Networks routers/switches, Ivanti gateways, Cisco ASA firewalls, Fortinet FortiWeb.
* **Mobile Platforms:** Apple iOS and Google Android.
* **Desktop/Cloud:** Operating systems from Microsoft, Google, and Apple.
* **Versions:** Varies by vendor; specifically affects "End of Life" (EoL) edge devices.
* **Configurations:** Edge devices sitting on the network perimeter; mobile devices targeted via "exploit chains" (3+ vulnerabilities linked together).
## Vulnerability Description
The 2025 landscape shifted toward two distinct technical focuses:
1. **Edge/Peripheral Flaws:** Exploitation of network-facing appliances (firewalls/routers) that lack Endpoint Detection and Response (EDR), allowing for persistent, invisible access.
2. **IP-Focused Exploits:** Chinese-linked actors (e.g., Brickstorm campaign) are targeting source code and proprietary IP to discover "downstream" vulnerabilities in software vendors.
3. **Exploit Chains:** Commercial surveillance vendors are moving away from single-flaw exploits toward complex chains involving three or more vulnerabilities to bypass modern mobile security.
## Exploitation
* **Status:** Exploited in the wild (90 total zero-days in 2025).
* **Complexity:** Medium to High (requires exploit chaining).
* **Attack Vector:** Network (for edge devices); User Interaction/Remote (for mobile).
## Impact
* **Confidentiality:** High (exfiltration of sensitive IP and mobile communications).
* **Integrity:** High (malware persistence on edge devices).
* **Availability:** Medium to High (potential for "bricking" or disrupting services).
## Remediation
### Patches
* **Juniper/Ivanti/Cisco/Fortinet:** Users must apply the specific security updates released for the CVEs listed above.
* **Mobile:** Update iOS and Android to the latest security patch levels to break known exploit chains.
### Workarounds
* **Retirement:** Per U.S. government mandates, decommission all "End of Life" edge devices that no longer receive firmware updates.
* **Network Segmentation:** Isolate edge appliances from the core internal network.
## Detection
* **Indicators of Compromise:** Look for the **Brickstorm** malware family signatures.
* **Detection Methods:**
* Monitor for unusual outbound traffic from perimeter security appliances.
* Audit logs for unauthorized access to source code repositories or development environments.
* Utilize network-level traffic analysis for devices that cannot host EDR agents.
## References
* Google Threat Analysis Group: hXXps[://]blog[.]google/threat-analysis-group/
* Ivanti Advisory: hXXps[://]therecord[.]media/china-espionage-ivanti-vulnerabilities-mandiant
* The Record News: hXXps[://]therecord[.]media/google-90-zero-days-exploited-2025-commercial-vendors